What is CVE-2023-35854?

CVE-2023-35854 is a critical-severity vulnerability in Zohocorp Manageengine_adselfservice_plus, classified under Missing Authentication for Critical Function. CVSS score: 9.8/10. Published 2023-06-20.

How severe is CVE-2023-35854?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2023-35854 known to be exploited?

4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Auth bypass in Zohocorp Manageengine_adselfservice_plus

CVE-2023-35854

Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrato…

Vulnerability class: Broken Authentication

EPSS: 0.060 (92.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Zohocorp Manageengine_adselfservice_plus — versions 6.1
N/a — versions n/a

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

Public proof-of-concept exploits

References

cve@mitre.org (Product)
cve@mitre.org (Third Party Advisory)

Frequently asked questions

What is CVE-2023-35854?: CVE-2023-35854 is a critical-severity vulnerability in Zohocorp Manageengine_adselfservice_plus, classified under Missing Authentication for Critical Function. CVSS score: 9.8/10. Published 2023-06-20.
How severe is CVE-2023-35854?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2023-35854 known to be exploited?: 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.