CVE-2025-1723: Zoho Addresses Account Takeover Vulnerability in ADSelfService Plus with CVE-2025-1723 Patch

Zoho Corporation has issued a security advisory regarding a critical account takeover vulnerability in its ADSelfService Plus identity security solution. Identified as CVE-2025-1723, the flaw could allow unauthorized access to user enrollment data when multi-factor authentication (MFA) is not enabled for ADSelfService Plus login.

The advisory explains that "CVE-2025-1723 is a vulnerability resulting from improper session management in ADSelfService Plus, which could lead to unauthorized access to user enrollment data when MFA is disabled for login."

The issue arises from faulty session handling, which could expose sensitive user information and allow attackers to hijack accounts. Zoho has confirmed that the vulnerability has been addressed in ADSelfService Plus version 6511.

Zoho is urging all ADSelfService Plus users to promptly update their instances to build 6511 or later. The update can be applied via the latest service pack.

This vulnerability underscores the importance of enabling MFA for all critical systems and applications. MFA provides an added layer of security, making it much harder for attackers to gain unauthorized access, even if they obtain user credentials.

Zoho acknowledges Weston, a security researcher from the Zoho BugBounty program, for discovering and reporting the vulnerability. This highlights the critical role of bug bounty programs in identifying and addressing security risks.

ADSelfService Plus users are strongly advised to prioritize updating to the latest version to protect against potential account takeovers and secure sensitive user data.

To learn more about our services and how we can help protect your systems, visit https://www.vaptern.com/services or contact us directly.