Zoho Patches Account Takeover Vulnerability in ADSelfService Plus

Summary: Zoho Corporation has issued a security advisory for a critical vulnerability (CVE-2025-1723) in its ADSelfService Plus identity security solution that could allow unauthorized access to user data if multi-factor authentication is not enabled. The issue, stemming from improper session management, has been resolved in version 6511, and users are urged to update immediately. This situation emphasizes the necessity of enabling MFA to fortify security against account takeovers.

Affected: Zoho ADSelfService Plus

Keypoints:

  • Critical vulnerability CVE-2025-1723 allows unauthorized access when MFA is disabled.
  • Improper session management could expose sensitive user information and facilitate account hijacking.
  • Users are urged to update to ADSelfService Plus version 6511 or later for security enhancements.
  • Importance of multi-factor authentication in safeguarding critical systems is highlighted.
  • Vulnerability discovered by Weston, a researcher in Zohoโ€™s Bug Bounty program, showcasing its effectiveness.

Source: https://securityonline.info/cve-2025-1723-zoho-patches-account-takeover-vulnerability-in-adselfservice-plus/