Security Advisory
- We have fixed an authentication bypass vulnerability affecting a few REST API URLs used for integration in M365 Security Plus. This article provides more information on the issue and how to resolve it.
What is the issue?
- An authentication bypass vulnerability affecting a few REST API URLs, that allowed unauthenticated users to access certain REST APIs.
What is the severity of this issue?
- This is a critical issue.
Which versions of M365 Security Plus are affected?
- M365 Security Plus builds up to 4416 are affected.
How does it impact M365 Security Plus customers?
- This vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints that integrate ManageEngine M365 Security Plus and ManageEngine AD360 by sending a specially crafted request. This would allow the attacker to carry out subsequent attacks.
What should I do if my installation is affected?
- Update M365 Security Plus to the latest build, 4417, using the service pack.
If you need further information, have any questions, or face any difficulties updating M365 Security Plus, please get in touch with us at
m365securityplus-support@manageengine.com, or +1-408-916-9836 (toll free).