Security Flaw in Zohocorp's ADSelfService Plus Allows Account Takeover

Zohocorp has issued a warning regarding a significant security vulnerability in its ADSelfService Plus software, which could potentially allow attackers to take control of user accounts. The flaw has been linked to improper session handling within the application, making it possible for unauthorized access to user data when multi-factor authentication (MFA) is not enabled.

As detailed in the security advisory released by Zohocorp, the vulnerability is classified under CVE-2025-1723 with a high-risk rating of 8.1 on the CVSS scale. This issue affects versions 6510 and earlier of ADSelfService Plus, potentially exposing sensitive user information and leading to account takeovers.

In response to the identified risk, Zohocorp released an update to version 6511 on February 26, 2025. This update is designed to mitigate the vulnerability by ensuring that enrollment data is accessible only to the authenticated user, thereby preventing unauthorized access.

ADSelfService Plus is a web-based solution aimed at managing identities in both local and cloud environments, providing protection against identity-related attacks and facilitating centralized management. However, this recent vulnerability undermined its intended security functions.

Additionally, Zohocorp had previously alerted users about another security issue in its ManageEngine Applications Manager at the end of January 2025, which allowed malicious actors to gain administrative rights on susceptible systems. This incident highlights ongoing security challenges within the company's software offerings.