Multiple Zoho ManageEngine ADSelfService Plus instances are vulnerable to a vulnerability that could allow an authenticated end-user to gain remote code execution on a vulnerable ADSelfService Plus. Assigned with CVE-2022-28810, the vulnerability was fixed by Zoho on April 9, 2022, but the flaw is being exploited in the wild.
CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog requesting users to patch it.
Zoho ManageEngine offers enterprise IT management software for service management, operations management, Active Directory, and security needs. This tool provides a wide range of IT management solutions, such as business security, ensuring high availability, and providing customer satisfaction.
ADSelfService Plus from ManageEngine is a popular self-service password management and single sign-on solution.
CVE-2022-28810 can be exploited by an attacker when administrators enable custom scripts for password sync with necessary providers and instruct the passwords to be submitted as arguments. An authenticated end user might take advantage of this vulnerability while conducting a password change or reset by providing a CMD command in the password field and having it run remotely on the system the ADSelfService Plus server is installed.
The vulnerability arises from a feature that allows the admin user to execute arbitrary operating system commands after a password reset or account lockout status update. This feature enables a user with local access to store any commands here. An attacker with the admin user’s password could achieve remote code execution this way.
The vulnerability affects the Zoho ManageEngine ADSelfService Plus build before 6122.
To patch the vulnerability, customers must upgrade to the Zoho ManageEngine ADSelfService Plus instance to 6122.
Zoho made the following updates to fix the vulnerability in the patched version:
- Only VBScript and PowerShell files are allowed for the custom script.
- All the scripts will be stored strictly in the <Installation Directory> /Scripts folder.
- Newly set passwords are encoded and sent to the script as parameters.
- Passwords are sent as string literals instead of arguments to avoid the unauthorized execution of commands.
Please refer to the Zoho ManageEngine ADSelfService Plus Security Advisory for more information.
Qualys customers can scan their devices with QID 378057 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.