CVE-2021-42847
published 2021-11-11CVE-2021-42847: Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files.
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
70.33%
99.3th percentile
Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_adaudit_plus | < 7.0 | 7.0 |
| zohocorp | manageengine_adaudit_plus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for new PowerShell script creation inside the ADAudit Plus 'alert_scripts' directory, which is the write target exploited by CVE-2021-42847. ↗
- →Alert on creation of custom alert profiles in ADAudit Plus followed by failed login events to a configured domain — this is the trigger mechanism used to execute the dropped payload. ↗
- →Detect processes spawned by the ManageEngine ADAudit Plus service account (typically local administrator) that invoke PowerShell, as successful exploitation results in RCE under that context. ↗
- →For builds prior to 7004, watch for direct payload insertion into the custom alert script component field of an alert profile via authenticated HTTP requests. ↗
- ·Exploitation requires valid authenticated credentials with privileges to create alert scripts — unauthenticated exploitation is not possible for the file-write vector (CVE-2021-42847). ↗
- ·The arbitrary file write path (CVE-2021-42847) is only exercised on builds 7004 and 7005; builds prior to 7004 use a different direct-injection code path. ↗
- ·The exploit has been validated only on Windows Server 2012 R2 running ADAudit Plus builds 7003 and 7005; behaviour on other OS versions may differ. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/172258/ManageEngine-ADAudit-Plus-Remote-Code-Execution.htmlhttps://pitstop.manageengine.com/portal/en/community/topic/fix-released-for-a-vulnerability-in-manageengine-adaudit-plushttp://packetstormsecurity.com/files/172258/ManageEngine-ADAudit-Plus-Remote-Code-Execution.htmlhttps://pitstop.manageengine.com/portal/en/community/topic/fix-released-for-a-vulnerability-in-manageengine-adaudit-plus
2021-11-11
Published