CVE-2022-28810
published 2022-04-18CVE-2022-28810: Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the…
PriorityP178medium6.8CVSS 3.1
AVNACLPRHUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-03-28
Exploited in the wild
EPSS
70.42%
99.3th percentile
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_adselfservice_plus | < 6.1 | 6.1 |
| zohocorp | manageengine_adselfservice_plus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →A remote and partially authenticated attacker may inject arbitrary commands via an unsanitized password field — monitor ADSelfService Plus password-change/reset HTTP requests for shell metacharacters or command injection patterns in the password parameter. ↗
- →GreyNoise observed active internet-wide scanning/exploitation attempts tagged as 'Zoho ManageEngine ADSelfService Plus CVE-2022-28810 RCE Attempt' — correlate inbound traffic to ADSelfService Plus endpoints against GreyNoise tag hits. ↗
- →After exploitation, the Metasploit module does NOT automatically remove the injected custom script — forensically check ADSelfService Plus custom script configuration fields for residual malicious commands even after an incident appears resolved. ↗
- ·The vulnerable 'custom script' feature was entirely removed in build 6122 as part of the CVE-2022-28810 patch — any instance still running a build below 6122 retains the attack surface. ↗
- ·Default admin credentials (admin/admin) dramatically lower the bar for exploitation — any internet-exposed instance using defaults is trivially abusable without further credential theft. ↗
- ·CISA added this to the Known Exploited Vulnerabilities catalog with a remediation due date of 2023-03-28, confirming active in-the-wild exploitation. ↗
CVSS provenance
nvdv3.16.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.1HIGHAV:N/AC:H/Au:S/C:C/I:C/A:C
vulncheck6.8MEDIUM
cisa6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q392-qg7v-xvc4: Zoho ManageEngine ADSelfService Plus before 6122 allows an authenticated user to achieve remote code execution via executable CMD
ghsa_unreviewed·2022-04-19
CVE-2022-28810 [HIGH] CWE-78 GHSA-q392-qg7v-xvc4: Zoho ManageEngine ADSelfService Plus before 6122 allows an authenticated user to achieve remote code execution via executable CMD
Zoho ManageEngine ADSelfService Plus before 6122 allows an authenticated user to achieve remote code execution via executable CMD.EXE input in a password field, This only occurs if a certain password sync feature is enabled that uses passwords as script arguments.
VulnCheck
Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability
vulncheck·2022·CVSS 6.8
CVE-2022-28810 [MEDIUM] CWE-78 Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability
Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability
Zoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset.
Affected: Zoho ManageEngine
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/; https://www.welivesecurity.com/wp-content/uploads/2022/11/eset_apt_activity_report_t22022.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.mandiant.com/resources/blog/zero-days-exploited-2022; https://www.rapid7.com/globalassets/_pdfs/research/rapid7_2024_attack_intelligence_
CISA
Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability
cisa·2023-03-07·CVSS 6.8
CVE-2022-28810 [MEDIUM] CWE-78 Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability
Vulnerability: Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability
Affected: Zoho ManageEngine
Zoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset.
Required Action: Apply updates per vendor instructions.
Notes: https://www.manageengine.com/products/self-service-password/advisory/CVE-2022-28810.html; https://nvd.nist.gov/vuln/detail/CVE-2022-28810
Remediation Due Date: 2023-03-28
No detection rules found.
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
The Ninth Day Of Tagsmas (2023): Critical Vulnerabilities in ManageEngine Products Put Organizations at Risk (CVE-2022-28810 / CVE-2022-47966)
blogs_greynoiseio·CVSS 6.8
[MEDIUM] The Ninth Day Of Tagsmas (2023): Critical Vulnerabilities in ManageEngine Products Put Organizations at Risk (CVE-2022-28810 / CVE-2022-47966)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/166816/ManageEngine-ADSelfService-Plus-Custom-Script-Execution.htmlhttps://github.com/rapid7/metasploit-framework/pull/16475https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.htmlhttps://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/http://packetstormsecurity.com/files/166816/ManageEngine-ADSelfService-Plus-Custom-Script-Execution.htmlhttps://github.com/rapid7/metasploit-framework/pull/16475https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.htmlhttps://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-28810
2022-04-18
Published
2023-03-07
Added to CISA KEV
Exploited in the wild