Zoho ADSelfService Plus Flaw Allows Hackers to Gain Unauthorized Access

A critical security flaw in Zoho’s widely used identity management solution, ADSelfService Plus, has been patched after researchers discovered it could enable attackers to hijack user sessions and compromise sensitive enrollment data.

Tracked as CVE-2025-1723, the high-severity vulnerability underscores the risks of insufficient session validation in authentication systems, particularly when multi-factor authentication (MFA) safeguards are not enforced.

Vulnerability Overview

The vulnerability, resolved in ADSelfService Plus Build 6511 released on February 26, 2025, stems from improper session handling in builds 6510 and earlier.

Attackers exploiting the flaw could bypass authentication checks to access enrollment data—including password reset configurations and security questions—belonging to other users.

This data could then be weaponized to stage account takeovers, especially in environments where MFA was not enabled for ADSelfService Plus logins.

Zoho’s advisory clarifies that the issue arises when session tokens are not adequately invalidated after authentication events, allowing malicious actors to reuse or manipulate session identifiers.

This oversight creates a window for unauthorized access to administrative and user-level functions, potentially exposing organizations to credential theft and lateral network movement.

Technical Impact and Risks

The exploitation of CVE-2025-1723 poses significant risks to enterprises relying on ADSelfService Plus for self-service password management and single sign-on (SSO) capabilities. By intercepting or guessing valid session IDs, attackers could:

1. Harvest sensitive user enrollment details stored in the platform.
2. Modify account recovery settings to lock legitimate users out of their accounts.
3. Escalate privileges to compromise administrative accounts linked to Active Directory.

Organizations without MFA enforcement for ADSelfService Plus are particularly vulnerable, as the lack of a secondary authentication layer amplifies the exploit’s effectiveness.

cSecurity analysts warn that unpatched systems could face ransomware attacks, data breaches, or insider threat scenarios if adversaries leverage stolen credentials.

Zoho has urged all customers to immediately upgrade to Build 6511, which introduces stricter session validation protocols. The update ensures enrollment data is only accessible to authenticated users tied to active sessions, eliminating cross-user data leakage.

Cybersecurity experts emphasize that patching alone is insufficient without complementary safeguards. Recommendations include:

• Enabling MFA for all ADSelfService Plus administrator and user accounts.
• Auditing session timeout configurations to reduce idle windows.
• Monitoring authentication logs for unusual session activity, such as repeated access attempts from unfamiliar IP addresses.

Zoho’s rapid response—resolving the flaw within 72 hours of internal discovery—has been praised by industry watchers.

However, the incident highlights the importance of proactive vulnerability management, particularly for software integral to enterprise authentication frameworks.

With ADSelfService Plus deployed across over 12,000 enterprises globally, the swift adoption of Build 6511 is imperative to curbing large-scale exploitation.

Security teams must treat this patch as urgent, given the vulnerability’s low exploitation complexity and high potential impact on business continuity.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free