cbcvebase.
CVE-2022-28987
published 2022-05-20

CVE-2022-28987: Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.

PriorityP274medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.71%
94.9th percentile
Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_adselfservice_plus

Detection & IOCsextracted from sources · hover to see the quote

url/ServletAPI/accounts/login
othereSTATUS":"Permission Denied
othereSTATUS":"Your account has been disabled
commandPOST /ServletAPI/accounts/login HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 loginName=asdfnonexistent
  • The vulnerable endpoint is /ServletAPI/accounts/login — monitor for unauthenticated POST requests to this path with a `loginName` parameter, especially in bulk/automated patterns indicative of enumeration.
  • Differentiate valid vs. invalid usernames by inspecting JSON response body: valid/disabled accounts return `eSTATUS":"Permission Denied` or `eSTATUS":"Your account has been disabled`, while non-existent users return a different response.
  • Use Shodan/FOFA queries `http.title:"ADSelfService Plus"` / `title="ADSelfService Plus"` to identify exposed instances for proactive patching or monitoring.
  • Content-Type of the response should be `application/json` and HTTP status 200 when a valid/disabled account is probed — use this triple condition (body string + content-type + status 200) in WAF/SIEM rules.
  • ·The enumeration behavior is specific to ADSelfService Plus versions before 6202; versions 6202 and later are patched and will not exhibit the differential response.
  • ·The Nuclei template is marked `verified: false`, meaning the detection logic has not been confirmed against a live vulnerable instance and may produce false positives/negatives.
  • ·The template uses an OR condition across two matchers (Permission Denied vs. account disabled), so detection rules should account for both response variants to avoid missing cases.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.