Critical Flaw Leaves Zoho ADSelfService Plus Wide Open to Authentication Bypass

Zoho has released a critical security update for ManageEngine ADSelfService Plus, an integrated self-service password management and single sign-on (SSO) solution. The update addresses a severe vulnerability(CVSS 9.1) that could allow an unauthenticated attacker to bypass authentication and potentially gain unauthorized access to the application.

Zoho ManageEngine ADSelfService Plus : is used to simplify and secure Active Directory (AD) user account management, mainly for enterprise environments. Due to the critical nature of this flaw and the role ADSelfService Plus plays in managing Active Directory credentials, organizations are urged to apply the patch immediately.

Vulnerability Details

• Vulnerability Type: Authentication Bypass / Improper Validation.
• Mechanism: An attacker can exploit this flaw by sending a specially crafted SAML response to the ADSelfService Plus server.
• Root Cause: The application fails to properly validate the signature or  assertions within the SAML XML, allowing an attacker to impersonate     legitimate users (including administrators) without providing valid     credentials.
• CVE : high-severity vulnerability, tracked as CVE-2025-11250, which carries a CVSS score of 9.1.

Impact

If successfully exploited, an unauthenticated remote attacker could:

• Gain  Administrative Access: Bypass the login screen to access the management console.
• Active Directory Manipulation: Reset passwords, unlock accounts, or modify user attributes within the connected Active Directory environment.

• Lateral Movement: Use the compromised identity to move laterally through the corporate network.
• Data Exfiltration: Access sensitive user information and organizational directory data.

Affected Versions: All versions up to and including6423.

Remediation

Zoho has addressed this vulnerability in the latest release. Organizations must upgrade their installations to the following version or higher:

• Fixed Version: ADSelfService Plus 6424

To Update

1. Download the latest service pack from the ManageEngine website.
2. Follow the standard upgrade instructions provided by Zoho.
3. Note: It is highly recommended to take a full backup of the installation directory and the database before proceeding with the update.