CVE-2022-28810
CVE-2022-28810
In short
Zoho ManageEngine ADSelfService Plus allows authenticated administrators to run dangerous system commands through a policy script feature. Attackers can exploit this easily because the software uses default passwords and doesn't properly check user input in password fields.
Technical detail
CVE-2022-28810 affects ADSelfService Plus before build 6122, allowing authenticated admins to execute arbitrary OS commands as SYSTEM via the policy custom script feature (CWE-798: hardcoded credentials). Pre-conditions include default credentials or partial authentication; command injection occurs due to unsanitized password field input, enabling privilege escalation and system compromise.
Summary generated and translated by AI from the official description.
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 1
cve_referencepacketstormsecurity.com/files/166816/ManageEngine-ADSelfService-Plus-Custom-Script-Execution.htmlunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/166816/ManageEngine-ADSelfService-Plus-Custom-Script-Execution.htmlhttps://github.com/rapid7/metasploit-framework/pull/16475https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-28810https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.htmlhttps://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/