Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.
Published 2022-04-18 13:15:08
Updated 2022-04-26 18:07:09
Source MITRE
View at NVD,   CVE.org

CVE-2022-28810 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:
Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Zoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset.
Notes:
https://www.manageengine.com/products/self-service-password/advisory/CVE-2022-28810.html
Added on 2023-03-07 Action due date 2023-03-28

Exploit prediction scoring system (EPSS) score for CVE-2022-28810

93.44%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2022-28810

  • ManageEngine ADSelfService Plus Custom Script Execution
    Disclosure Date: 2022-04-09
    First seen: 2022-12-23
    exploit/windows/http/manageengine_adselfservice_plus_cve_2022_28810
    This module exploits the "custom script" feature of ADSelfService Plus. The feature was removed in build 6122 as part of the patch for CVE-2022-28810. For purposes of this module, a "custom script" is arbitrary operating system command execution. T

CVSS scores for CVE-2022-28810

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
7.1
HIGH AV:N/AC:H/Au:S/C:C/I:C/A:C
3.9
10.0
NIST
6.8
MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
0.9
5.9
NIST

CWE ids for CVE-2022-28810

References for CVE-2022-28810

Products affected by CVE-2022-28810

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!