cbcvebase.
CVE-2022-28810
published 2022-04-18

CVE-2022-28810: Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the…

PriorityP178medium6.8CVSS 3.1
AVNACLPRHUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-03-28
Exploited in the wild
EPSS
70.42%
99.3th percentile
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.

Affected

2 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_adselfservice_plus< 6.16.1
zohocorpmanageengine_adselfservice_plus

Detection & IOCsextracted from sources · hover to see the quote

versionADSelfService Plus build < 6122
  • A remote and partially authenticated attacker may inject arbitrary commands via an unsanitized password field — monitor ADSelfService Plus password-change/reset HTTP requests for shell metacharacters or command injection patterns in the password parameter.
  • GreyNoise observed active internet-wide scanning/exploitation attempts tagged as 'Zoho ManageEngine ADSelfService Plus CVE-2022-28810 RCE Attempt' — correlate inbound traffic to ADSelfService Plus endpoints against GreyNoise tag hits.
  • After exploitation, the Metasploit module does NOT automatically remove the injected custom script — forensically check ADSelfService Plus custom script configuration fields for residual malicious commands even after an incident appears resolved.
  • ·The vulnerable 'custom script' feature was entirely removed in build 6122 as part of the CVE-2022-28810 patch — any instance still running a build below 6122 retains the attack surface.
  • ·Default admin credentials (admin/admin) dramatically lower the bar for exploitation — any internet-exposed instance using defaults is trivially abusable without further credential theft.
  • ·CISA added this to the Known Exploited Vulnerabilities catalog with a remediation due date of 2023-03-28, confirming active in-the-wild exploitation.

CVSS provenance

nvdv3.16.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.1HIGHAV:N/AC:H/Au:S/C:C/I:C/A:C
vulncheck6.8MEDIUM
cisa6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.