⚠ Actively exploited
Added to CISA KEV on 2023-03-07. Federal agencies required to patch by 2023-03-28. Required action: Apply updates per vendor instructions..
CVE-2022-28810 — OS Command Injection in Manageengine Adselfservice Plus
Severity
6.8MEDIUMNVD
EPSS
91.8%
top 0.31%
CISA KEV
KEV
Added 2023-03-07
Due 2023-03-28
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedApr 18
KEV addedMar 7
KEV dueMar 28
CISA Required Action: Apply updates per vendor instructions.
Description
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9
Affected Packages1 packages
Patches
🔴Vulnerability Details
3GHSA▶
GHSA-q392-qg7v-xvc4: Zoho ManageEngine ADSelfService Plus before 6122 allows an authenticated user to achieve remote code execution via executable CMD↗2022-04-19
CVEList▶
CVE-2022-28810: Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTE↗2022-04-18