ManageEngine ADSelfService Plus has been abused in the wild due to a zero-day vulnerability

Threat Level – Red | Vulnerability Report
Download PDF

For a detailed advisory, download the pdf file here.

An APT actor is attempting to exploit a zero-day vulnerability in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution that poses a high risk to critical infrastructure companies, US-cleared defense contractors, academic institutions, and other entities that use the software. The FBI, CISA, and CGCYBER highly advise companies to ensure that ADSelfService Plus is not directly accessible via the internet. The Hive pro threat research team also recommends that ADSelfService be updated to version 6114.

The techniques used by the APT actor includes:

T1190 – Exploit Public-Facing Application T1505.003 – Server Software Component: Web Shell T1027 – Obfuscated Files or Information T1140 – Deobfuscate/Decode Files or Information T1003 – OS Credential Dumping T1218 – Signed Binary Proxy Execution T1136 – Create Account T1003.003 – OS Credential Dumping: NTDS T1047 –  Windows Management Instrumentation T1070.004 – Indicator Removal on Host: File Deletion T1087.002 – Account Discovery: Domain Account T1560.001 – Archive Collected Data: Archive via Utility T1573.001 –  Encrypted Channel: Symmetric Cryptography

Vulnerability Details

Indicators of Compromise (IoCs)

Patch Link


What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox