CVE-2018-5353: The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attac...
The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the web server has a misconfigured certificate then no spoofing attack is required
Security readout for executives and security teams
Plain-English summary
CVE-2018-5353 affects Zoho ManageEngine ADSelfService Plus before 5.5 build 5517. A Windows logon component can trust the wrong server and open attacker-controlled browser content, allowing code execution and privilege escalation in the WinLogon.exe context under specific conditions.
Executive priority
Treat this as a high-priority legacy exposure review if ADSelfService Plus is present. The impact is serious, but urgency depends on whether vulnerable builds, GINA/CP clients, weak RDP settings, or certificate issues exist in the environment.
Technical view
The vulnerable custom GINA/CP module does not authenticate the intended ADSelfService Plus server before opening a browser window. A remote attacker able to spoof the server can redirect that browser and gain execution in WinLogon.exe context. RDP exposure is noted when Network Level Authentication is not enforced; certificate misconfiguration can remove the spoofing requirement.
Likely exposure
Exposure is most likely where ADSelfService Plus before 5.5 build 5517 is deployed with the custom GINA/CP module on Windows logon systems. Risk increases for RDP-accessible hosts without Network Level Authentication and for ADSelfService Plus web servers using misconfigured certificates.
Exploitation context
The provided bundle does not identify active exploitation, and KEV is false. The described attack is conditional: it requires spoofing unless certificate configuration is flawed, and RDP exploitation depends on Network Level Authentication not being enforced.
Researcher notes
The bundle provides strong impact and precondition details but no CVSS, CWE, or confirmed exploit-in-the-wild evidence. Research should focus on version/build verification, GINA/CP deployment paths, certificate validation behavior, and RDP/NLA configuration.
Mitigation direction
Check vendor release notes and upgrade affected ADSelfService Plus deployments to build 5517 or later.
Enforce Network Level Authentication on RDP-accessible systems using the GINA/CP module.
Correct ADSelfService Plus web server certificate misconfigurations.
Review where the custom GINA/CP module is installed and remove unnecessary deployments.
Validation and detection
Inventory ADSelfService Plus versions and confirm whether any are before 5.5 build 5517.
Identify Windows systems using the custom GINA/CP module.
Verify RDP systems enforce Network Level Authentication.
Validate ADSelfService Plus web server certificates are correctly configured and trusted.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2018-5353 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
3Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Sep 29, 2020, 20:07 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.