cbcvebase.
CVE-2022-28219
published 2022-04-05

CVE-2022-28219: Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
97.01%
99.9th percentile
Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_adaudit_plus<= 6.0
zohocorpmanageengine_adaudit_plus

Detection & IOCsextracted from sources · hover to see the quote

url/cewolf/
url/api/agent/tabs/agentData
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ManageEngine ADAudit Plus Directory Traversal Leading to Deserialization"; flow:established,to_server; http.uri; content:"/cewolf/"; fast_pattern; content:"?img="; distance:0; pcre:"/^(?:\/?\.\.?\/){2}/R"; content:"|2e 2f|"; reference:url,www.horizon3.ai/red-team-blog-cve-2022-28219/; classtype:attempted-admin; sid:2037216; rev:1; metadata:created_at 2022_06_30, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_06_30, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ManageEngine ADAudit Plus XXE (CVE-2022-28219)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/agent/tabs/agentData"; endswith; fast_pattern; http.request_body; content:"|22|Task|20|Content|22|"; content:"<?"; distance:0; content:"<!ENTITY|20|"; distance:0; reference:url,www.horizon3.ai/red-team-blog-cve-2022-28219/; reference:cve,2022-28219; classtype:attempted-admin; sid:2037217; rev:1; metadata:attack_target Server, created_at 2022_06_30, cve CVE_2022_28219, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_06_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|2e 2f|
  • Path traversal exploitation targets the /cewolf endpoint with ?img= parameter using sequences of ../../ (URL-encoded or literal) to traverse directories; match URI pattern /cewolf/ followed by ?img= with at least two ../ sequences.
  • XXE exploitation targets POST requests to /api/agent/tabs/agentData with a JSON body containing 'Task Content' and an embedded XML declaration (<?...) followed by an <!ENTITY declaration — indicative of blind XXE payload injection.
  • The nuclei template confirms exploitation by checking for an out-of-band HTTP interaction (interactsh_protocol: http) combined with 'ManageEngine' in the response body, indicating successful XXE-triggered SSRF/callback.
  • Check Point IPS signature 'Zoho ManageEngine ADAudit Plus Remote Code Execution (CVE-2022-28219)' provides network-level protection against this exploit chain.
  • ·The vulnerability affects ManageEngine ADAudit Plus versions before build 7060 only; patched installations (build 7060+) are not vulnerable.
  • ·The exploit is a chained attack: the path traversal in /cewolf is combined with a blind XXE in /api/agent/tabs/agentData to achieve unauthenticated RCE — both endpoints must be monitored together for full coverage.
  • ·The ET Snort rule for the XXE component (sid:2037217) carries only 'Medium' confidence, meaning it may produce false positives on legitimate agent data submissions to the same endpoint.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.