Vulnerability Details : CVE-2022-28810
Public exploit exists!
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.
Products affected by CVE-2022-28810
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:-:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6100:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6103:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6101:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6102:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6104:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6105:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6106:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6113:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6107:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6108:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6109:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6110:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6111:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6112:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6114:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6115:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6116:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6117:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6118:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6119:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6120:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6121:*:*:*:*:*:*
CVE-2022-28810 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Zoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset.
Notes:
https://www.manageengine.com/products/self-service-password/advisory/CVE-2022-28810.html; https://nvd.nist.gov/vuln/detail/CVE-2022-28810
Added on
2023-03-07
Action due date
2023-03-28
Exploit prediction scoring system (EPSS) score for CVE-2022-28810
91.61%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2022-28810
-
ManageEngine ADSelfService Plus Custom Script Execution
Disclosure Date: 2022-04-09First seen: 2022-12-23exploit/windows/http/manageengine_adselfservice_plus_cve_2022_28810This module exploits the "custom script" feature of ADSelfService Plus. The feature was removed in build 6122 as part of the patch for CVE-2022-28810. For purposes of this module, a "custom script" is arbitrary operating system command execution. T
CVSS scores for CVE-2022-28810
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.1
|
HIGH | AV:N/AC:H/Au:S/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
|
6.8
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H |
0.9
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-01-29 |
|
6.8
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H |
0.9
|
5.9
|
NIST |
CWE ids for CVE-2022-28810
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
-
The product contains hard-coded credentials, such as a password or cryptographic key.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2022-28810
-
http://packetstormsecurity.com/files/166816/ManageEngine-ADSelfService-Plus-Custom-Script-Execution.html
ManageEngine ADSelfService Plus Custom Script Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.html
CVE-2022-28810 - ManageEngine ADSelfService PlusPatch;Vendor Advisory
-
https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/
CVE-2022-28810: ManageEngine Authenticated Command Execution (Fixed) | Rapid7 BlogExploit;Patch;Technical Description;Third Party Advisory
-
https://github.com/rapid7/metasploit-framework/pull/16475
ManageEngine ADSelfService Plus Authenticated RCE (CVE-2022-28810) by jbaines-r7 · Pull Request #16475 · rapid7/metasploit-framework · GitHubExploit;Patch;Third Party Advisory
Jump to