CVE-2023-35785 Overview
CVE-2023-35785 is an authentication bypass vulnerability affecting multiple Zoho ManageEngine products. The vulnerability allows attackers to bypass two-factor authentication (2FA) mechanisms via certain TOTP (Time-based One-Time Password) authenticators. This security flaw undermines a critical layer of defense that organizations rely on to protect administrative access to their IT management infrastructure.
The vulnerability requires valid username and password credentials as a prerequisite for exploitation, meaning an attacker must first obtain legitimate credentials through other means such as credential stuffing, phishing, or data breaches before being able to bypass the 2FA protection.
Critical Impact
Successful exploitation allows attackers with stolen credentials to completely bypass two-factor authentication, gaining unauthorized access to sensitive IT management platforms that control Active Directory, security logging, service desk operations, and cloud infrastructure.
Affected Products
- Zoho ManageEngine Active Directory 360 versions 4315 and below
- Zoho ManageEngine ADAudit Plus versions 7202 and below
- Zoho ManageEngine ADManager Plus versions 7200 and below
- Zoho ManageEngine Asset Explorer versions 6993 and below (and 7xxx versions 7002 and below)
- Zoho ManageEngine Cloud Security Plus versions 4161 and below
- Zoho ManageEngine Data Security Plus versions 6110 and below
- Zoho ManageEngine Eventlog Analyzer versions 12301 and below
- Zoho ManageEngine Exchange Reporter Plus versions 5709 and below
- Zoho ManageEngine Log360 versions 5315 and below
- Zoho ManageEngine Log360 UEBA versions 4045 and below
- Zoho ManageEngine M365 Manager Plus versions 4529 and below
- Zoho ManageEngine M365 Security Plus versions 4529 and below
- Zoho ManageEngine Recovery Manager Plus versions 6061 and below
- Zoho ManageEngine ServiceDesk Plus versions 14204 and below (and 143xx versions 14302 and below)
- Zoho ManageEngine ServiceDesk Plus MSP versions 14300 and below
- Zoho ManageEngine SharePoint Manager Plus versions 4402 and below
- Zoho ManageEngine Support Center Plus versions 14300 and below
Discovery Timeline
- August 28, 2023 - CVE-2023-35785 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-35785
Vulnerability Analysis
This vulnerability represents an authentication bypass (CWE-287) in the two-factor authentication implementation across numerous Zoho ManageEngine products. The flaw exists in how these applications validate TOTP codes generated by certain authenticator applications during the second authentication step.
The affected ManageEngine products are critical enterprise IT management tools that handle sensitive operations including Active Directory management, security event logging, asset tracking, and help desk functions. A 2FA bypass in these systems is particularly concerning as they often hold administrative privileges over core IT infrastructure.
Root Cause
The root cause stems from improper validation of TOTP tokens during the authentication process. Specifically, the vulnerability exists in the authentication flow where certain TOTP authenticator implementations can be manipulated to bypass the expected validation checks. The application fails to properly enforce the second authentication factor when specific conditions related to TOTP generation or validation are present.
Attack Vector
The attack is network-based and does not require any user interaction beyond the initial credential theft phase. An attacker exploiting this vulnerability would:
- First obtain valid username and password credentials for a target ManageEngine application (through phishing, credential stuffing, or data breach)
- Initiate a login session with the stolen credentials
- When prompted for the 2FA TOTP code, exploit the validation weakness using specific TOTP authenticator configurations
- Successfully bypass the 2FA check and gain full authenticated access
The vulnerability enables complete circumvention of what should be a robust second factor of authentication, effectively reducing the security model to single-factor authentication for affected deployments.
Detection Methods for CVE-2023-35785
Indicators of Compromise
- Multiple failed 2FA attempts followed by successful authentication from the same user/IP combination
- Authentication logs showing successful logins without corresponding valid TOTP token validations
- Unusual login patterns from IP addresses not typically associated with the user account
- Administrative actions performed shortly after authentication from unfamiliar geographic locations
Detection Strategies
- Implement alerting on authentication events where 2FA validation appears anomalous or incomplete
- Correlate login events across ManageEngine products to identify potential credential reuse attacks
- Monitor for bulk authentication attempts that could indicate credential stuffing campaigns targeting 2FA bypass
- Deploy network detection rules to identify authentication traffic patterns associated with 2FA bypass attempts
Monitoring Recommendations
- Enable verbose authentication logging on all affected ManageEngine products
- Centralize authentication logs to a SIEM platform for correlation and analysis
- Configure alerts for successful authentications that occur without proper 2FA token verification
- Establish baseline authentication patterns to identify statistical anomalies in login behavior
How to Mitigate CVE-2023-35785
Immediate Actions Required
- Identify all Zoho ManageEngine products deployed in your environment and check their version numbers against the affected versions list
- Prioritize patching for internet-facing ManageEngine installations and those managing critical infrastructure
- Review authentication logs for signs of compromise during the exposure window
- Implement additional access controls such as IP allowlisting for administrative access while patching is in progress
Patch Information
Zoho has released security patches for all affected ManageEngine products. Organizations should update to versions higher than those listed in the affected products section. Specific patched versions and update instructions are available in the ManageEngine Security Advisory for CVE-2023-35785.
For each product, update to at least:
- Active Directory 360: version above 4315
- ADAudit Plus: version above 7202
- ADManager Plus: version above 7200
- ServiceDesk Plus: version above 14204 (or 14302 for 143xx branch)
- And corresponding updated versions for other affected products as detailed in the vendor advisory
Workarounds
- If immediate patching is not possible, restrict network access to ManageEngine applications to trusted IP ranges only
- Implement additional authentication layers such as VPN requirements before accessing ManageEngine products
- Consider temporarily disabling affected TOTP authenticator methods if the specific vulnerable authenticators can be identified, though full patching remains the recommended approach
- Enable account lockout policies to limit the effectiveness of repeated authentication bypass attempts
# Example: Restrict access to ManageEngine ServiceDesk Plus using firewall rules
# Allow only trusted administrator IP ranges
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
# For Windows environments, use Windows Firewall with Advanced Security
# to restrict inbound connections to ManageEngine service ports
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
