Zoho Corporation has addressed a medium-severity authentication vulnerability (CVE-2025-1723) in ManageEngine ADSelfService Plus versions 6510 and earlier. The flaw in session management mechanisms could enable authenticated users to escalate privileges or hijack accounts when multi-factor authentication (MFA) is disabled. The Dutch National Cyber Security Centre (NCSC) rated this as a medium-likelihood, high-impact vulnerability (NCSC-2025-0071) [1].
Key Points
- Affected product: ManageEngine ADSelfService Plus ≤ v6510
- Vulnerability type: Improper Session Authentication (CVE-2025-1723)
- Risk: Account takeover via session hijacking
- Mitigation: Apply vendor patches immediately
- Criticality: Medium likelihood (M), High damage potential (H) per NCSC
Technical Analysis
The vulnerability resides in the session handling mechanisms of ADSelfService Plus, an enterprise self-service password management and single sign-on solution. According to NCSC advisories [1][2], the flaw allows:
- Valid account holders to manipulate session tokens
- Session fixation attacks when MFA isn’t enforced
- Privilege escalation through crafted requests
“This problem enables valid account holders to abuse the system, potentially leading to account takeover scenarios when Multi-Factor Authentication is not enabled.” [1]
Impact Assessment
| Component | Risk Factor | Notes |
|---|---|---|
| Authentication Bypass | High | Allows session hijacking |
| Privilege Escalation | Medium | Requires valid credentials |
| Exploit Complexity | Low | No special conditions needed |
Security researchers should note this vulnerability differs from previous ManageEngine flaws (like CVE-2021-40539) as it:
- Requires existing authentication
- Targets session management rather than REST API endpoints
- Is mitigated by MFA implementation
Detection and Mitigation
For System Administrators:
- Verify your version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*ADSelfService Plus*"} | Select Name, Version - Patch immediately using Zoho’s updates [3]
- Enforce MFA globally via:
<MFAConfig> <EnforceForAllUsers>true</EnforceForAllUsers> </MFAConfig>
For SOC Teams:
Monitor for these IOC patterns:
- Abnormal session duration from single IPs
- Multiple authentication events with same credentials
SessionIDmanipulation in logs
Relevance to Security Practitioners
Red Teams can leverage this for:
- Lateral movement after initial compromise
- Persistence via legitimate account abuse
Blue Teams should:
- Review all ADSelfService Plus instances
- Implement session timeout policies
- Monitor for
EventID 4740(Account lockout) spikes
Conclusion
While less severe than unauthenticated RCE flaws, CVE-2025-1723 presents a tangible risk in environments with weak MFA adoption. Organizations using affected versions should prioritize patching and verify session management controls. This case reinforces the need for defense-in-depth strategies combining patch management with robust authentication policies.
