Analysis Summary

Zoho has patched a high-severity vulnerability (CVE-2025-1723) in ADSelfService Plus, a self-service password management and SSO solution, affecting builds 6510 and earlier. The flaw, stemming from improper session handling in the MFA workflow, allowed attackers to intercept user enrollment data, including password reset configurations and security questions without authentication. Exploiting this weakness enabled account takeovers by modifying recovery settings and bypassing security controls. The issue was resolved in build 6511 released on February 26, 2025, and Zoho urges immediate patching to prevent exploitation.

The vulnerability, rated 8.1 (High) on the CVSS scale enabled unauthorized API calls to enrollment data endpoints through unexpired session IDs. Attackers could bypass password policies, redirect MFA prompts to their devices, and forge SAML tokens for lateral movement within networks. However, systems using Zoho’s MFA remained protected, as the exploit was only viable when administrators disabled this feature. Security researcher Weston discovered the issue through Zoho’s BugBounty program, and while the company has not confirmed active exploitation, it assures no customer data breaches have been linked to this CVE.

To mitigate risks, Zoho advises administrators to upgrade to build 6511 via the ADSelfService Plus admin console and validate the installation. The patch introduces session validation checks to bind enrollment data requests to live authentication tokens. Additionally, organizations should audit historical logs for unauthorized access attempts from January 2025 onward and enforce MFA for all logins as a preventive measure. These steps ensure improved security posture and reduce the likelihood of future exploitation.

Impact

• Unauthorized Access
• Security Bypass

Indicators of Compromise

CVE

• CVE-2025-1723

Affected Vendors

Remediation

• Keep Zoho ADSelfService Plus updated with the latest security patches.
• Navigate to the ADSelfService Plus admin console.
• Go to Help > Check for Updates.
• Apply service pack 6511 or later.
• Verify the successful update by checking the build number in the footer.
• Ensure MFA is enabled for both admin and user logins to prevent session token abuse.
• Review historical logs for unauthorized access attempts between January 2025 and the patch date.
• Look for suspicious activities related to enrollment data modifications.
• Limit internet-facing access to ADSelfService Plus to internal networks only.
• Use firewall rules to restrict access to trusted IPs.
• Track API calls to the /enrollment/data endpoints for unusual access patterns.
• Implement session expiration policies to prevent misuse of unexpired tokens.
• Ensure password complexity requirements are enforced.
• Restrict self-service password reset options to prevent abuse.
• Regularly monitor Zoho’s security advisories for new vulnerabilities.