Zoho has patched a high-severity vulnerability (CVE-2025-1723) in its ADSelfService Plus software, a widely used self-service password management and single sign-on solution.
The flaw, discovered in builds 6510 and earlier, could enable attackers to bypass authentication safeguards and access sensitive user enrollment data, potentially leading to account takeovers.
The company resolved the issue in build 6511, released on February 26, 2025, and urges immediate patching for all affected systems.
.png
)
Zoho ADSelfService Plus Vulnerability
The vulnerability stems from improper session handling mechanisms in the MFA (Multi-Factor Authentication) workflow.
When MFA remained disabled for ADSelfService Plus logins, attackers could exploit mismanaged session tokens to intercept enrollment data, including password reset configurations and security questions without valid credentials.
This data exposure created a pathway for malicious actors to impersonate legitimate users, modify account recovery settings, and ultimately seize control of Active Directory accounts.
Zoho’s security team confirmed the flaw allows unauthorized API calls to /enrollment/data endpoints through reused or unexpired session IDs.
Successful exploitation required proximity to the target network but didn’t necessitate prior authentication, making it particularly dangerous for organizations with exposed ADSelfService Plus instances.
The vulnerability’s CVSSv3.1 score of 8.1 (High) reflects its potential to compromise organizational identity management systems. Exposed enrollment data could enable attackers to:
- Bypass password complexity policies
- Redirect MFA prompts to attacker-controlled devices
- Forge SAML tokens for lateral movement within networks
Notably, systems using Zoho’s integrated MFA features remained protected, as the exploit chain only functions when administrators disable this safeguard.
This underscores the critical role of layered authentication defenses in modern cybersecurity frameworks. Security researcher Weston identified the flaw through Zoho’s BugBounty program, following coordinated vulnerability disclosure protocols.
The company has not disclosed whether active exploitation occurred prior to patching but confirms no customer data breaches linked to this CVE.
Mitigations
Zoho released build 6511 via its standard service pack channels, introducing session validation checks that bind enrollment data requests to live authentication tokens. Administrators must:
- Navigate to the ADSelfService Plus admin console
- Select Help > Check for Updates
- Apply service pack 6511 or later
- Validate successful installation via the build number in the footer
Post-update, organizations should audit historical enrollment logs for unusual patterns, particularly unauthorized access attempts, between January 2025 and the patch date.
Zoho also recommends enforcing MFA for all admin and user logins as a compensating control.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
