CVE-2019-7162 in ADSelfService Plus
Summary
by MITRE
An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to retrieve internal information from the system and modify the product installation.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/30/2025
The vulnerability identified as CVE-2019-7162 affects Zoho ManageEngine ADSelfService Plus version 5.6 Build 5607, representing a critical security flaw that exposes sensitive internal system information to unauthorized actors. This issue stems from an improperly configured service that operates without adequate authentication mechanisms, creating an attack surface that allows malicious entities to gain access to confidential data and potentially compromise the entire system. The vulnerability specifically targets the service layer of the application, which should normally be protected behind proper authentication and authorization controls but instead remains accessible to anyone who can reach the network.
The technical nature of this flaw falls under CWE-284, which addresses improper access control, and represents a classic case of insufficient authorization checks within the application's service architecture. The exposed service functionality enables attackers to perform information disclosure operations that can reveal internal system configurations, user data, and potentially sensitive operational details about the organization's identity management infrastructure. Additionally, the vulnerability permits modification of the product installation, which can lead to complete system compromise through unauthorized configuration changes or malicious code deployment.
From an operational impact perspective, this vulnerability presents a severe risk to organizations relying on ADSelfService Plus for identity and access management. Attackers who exploit this flaw can gain unauthorized access to user credentials, system configurations, and potentially escalate privileges to administrative levels. The unauthenticated nature of the attack means that no credentials are required to exploit the vulnerability, making it particularly dangerous as it can be exploited by anyone with network access to the affected system. This exposure can lead to data breaches, unauthorized system modifications, and potential lateral movement within the network infrastructure.
The attack surface created by this vulnerability aligns with ATT&CK technique T1078 which covers legitimate credentials usage, as attackers can leverage the exposed service to perform unauthorized actions that would typically require legitimate administrative access. Organizations should consider implementing network segmentation to isolate critical services and applying immediate patches from Zoho to address this vulnerability. The recommended mitigation strategy includes disabling or properly securing the exposed service, implementing network access controls, and conducting comprehensive security assessments to identify any other potentially exposed services within the environment. Regular security audits and vulnerability scanning should be performed to ensure that similar issues do not exist in other components of the identity management infrastructure.