USG Warns Of ‘Critical’ Vulnerability That Poses ‘Serious Risk’ To Defense Contractors, Others
Earlier this week, the US FBI and Cybersecurity and Infrastructure Security Agency released a joint advisory warning the public of alleged active exploitation of a critical vulnerability found in a popular password management solution called Zoho. Zoho’s ManageEngine AdSelfService Plus, a tool that aids users in creating strong passwords and managing two-factor authentication, is at risk for exploitation. According to the US government, the vulnerability poses a serious risk to critical infrastructure companies, defense contractors, and academic institutions. ManageEngine is used by organizations as a self-service password solution for cloud applications, virtual private networks, and other enterprise IT assets.
Zoho released a patch for the vulnerability nine days ago and entities using the password management platform are encouraged to implement the fix as soon as possible. Since the patch release, advanced persistent threat cyber actors have been observed exploiting the vulnerability. The joint advisory did not indicate which APTs were leveraging the flaw to conduct cyberattacks The government has also urged users to ensure that AdSelfService Plus is not directly accessible from the internet.