cbcvebase.
CVE-2021-42847
published 2021-11-11

CVE-2021-42847: Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files.

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
70.33%
99.3th percentile
Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files.

Affected

2 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_adaudit_plus< 7.07.0
zohocorpmanageengine_adaudit_plus

Detection & IOCsextracted from sources · hover to see the quote

pathalert_scripts
  • Monitor for new PowerShell script creation inside the ADAudit Plus 'alert_scripts' directory, which is the write target exploited by CVE-2021-42847.
  • Alert on creation of custom alert profiles in ADAudit Plus followed by failed login events to a configured domain — this is the trigger mechanism used to execute the dropped payload.
  • Detect processes spawned by the ManageEngine ADAudit Plus service account (typically local administrator) that invoke PowerShell, as successful exploitation results in RCE under that context.
  • For builds prior to 7004, watch for direct payload insertion into the custom alert script component field of an alert profile via authenticated HTTP requests.
  • ·Exploitation requires valid authenticated credentials with privileges to create alert scripts — unauthenticated exploitation is not possible for the file-write vector (CVE-2021-42847).
  • ·The arbitrary file write path (CVE-2021-42847) is only exercised on builds 7004 and 7005; builds prior to 7004 use a different direct-injection code path.
  • ·The exploit has been validated only on Windows Server 2012 R2 running ADAudit Plus builds 7003 and 7005; behaviour on other OS versions may differ.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.