LiveActive security incident?Get immediate response
CVE Record

CVE-2018-5353: The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attac...

The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the web server has a misconfigured certificate then no spoofing attack is required

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2018-5353 affects Zoho ManageEngine ADSelfService Plus before 5.5 build 5517. A Windows logon component can trust the wrong server and open attacker-controlled browser content, allowing code execution and privilege escalation in the WinLogon.exe context under specific conditions.

Executive priority

Treat this as a high-priority legacy exposure review if ADSelfService Plus is present. The impact is serious, but urgency depends on whether vulnerable builds, GINA/CP clients, weak RDP settings, or certificate issues exist in the environment.

Technical view

The vulnerable custom GINA/CP module does not authenticate the intended ADSelfService Plus server before opening a browser window. A remote attacker able to spoof the server can redirect that browser and gain execution in WinLogon.exe context. RDP exposure is noted when Network Level Authentication is not enforced; certificate misconfiguration can remove the spoofing requirement.

Likely exposure

Exposure is most likely where ADSelfService Plus before 5.5 build 5517 is deployed with the custom GINA/CP module on Windows logon systems. Risk increases for RDP-accessible hosts without Network Level Authentication and for ADSelfService Plus web servers using misconfigured certificates.

Exploitation context

The provided bundle does not identify active exploitation, and KEV is false. The described attack is conditional: it requires spoofing unless certificate configuration is flawed, and RDP exploitation depends on Network Level Authentication not being enforced.

Researcher notes

The bundle provides strong impact and precondition details but no CVSS, CWE, or confirmed exploit-in-the-wild evidence. Research should focus on version/build verification, GINA/CP deployment paths, certificate validation behavior, and RDP/NLA configuration.

Mitigation direction

  • Check vendor release notes and upgrade affected ADSelfService Plus deployments to build 5517 or later.
  • Enforce Network Level Authentication on RDP-accessible systems using the GINA/CP module.
  • Correct ADSelfService Plus web server certificate misconfigurations.
  • Review where the custom GINA/CP module is installed and remove unnecessary deployments.

Validation and detection

  • Inventory ADSelfService Plus versions and confirm whether any are before 5.5 build 5517.
  • Identify Windows systems using the custom GINA/CP module.
  • Verify RDP systems enforce Network Level Authentication.
  • Validate ADSelfService Plus web server certificates are correctly configured and trusted.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2018-5353 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
3Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.