CVE-2022-28987
published 2022-05-20CVE-2022-28987: Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.
PriorityP274medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.71%
94.9th percentile
Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_adselfservice_plus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
othereSTATUS":"Permission Denied
othereSTATUS":"Your account has been disabled
commandPOST /ServletAPI/accounts/login HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
loginName=asdfnonexistent
- →The vulnerable endpoint is /ServletAPI/accounts/login — monitor for unauthenticated POST requests to this path with a `loginName` parameter, especially in bulk/automated patterns indicative of enumeration. ↗
- →Differentiate valid vs. invalid usernames by inspecting JSON response body: valid/disabled accounts return `eSTATUS":"Permission Denied` or `eSTATUS":"Your account has been disabled`, while non-existent users return a different response.
- →Use Shodan/FOFA queries `http.title:"ADSelfService Plus"` / `title="ADSelfService Plus"` to identify exposed instances for proactive patching or monitoring.
- →Content-Type of the response should be `application/json` and HTTP status 200 when a valid/disabled account is probed — use this triple condition (body string + content-type + status 200) in WAF/SIEM rules.
- ·The enumeration behavior is specific to ADSelfService Plus versions before 6202; versions 6202 and later are patched and will not exhibit the differential response. ↗
- ·The Nuclei template is marked `verified: false`, meaning the detection logic has not been confirmed against a live vulnerable instance and may produce false positives/negatives.
- ·The template uses an OR condition across two matchers (Permission Denied vs. account disabled), so detection rules should account for both response variants to avoid missing cases.
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wf45-x487-v279: ManageEngine ADSelfService Plus v6
ghsa_unreviewed·2022-05-21
CVE-2022-28987 [MEDIUM] GHSA-wf45-x487-v279: ManageEngine ADSelfService Plus v6
ManageEngine ADSelfService Plus v6.1 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.
VulnCheck
Zoho ManageEngine ADSelfService Plus Username Enumeration
vulncheck·2022·CVSS 5.3
CVE-2022-28987 [MEDIUM] Zoho ManageEngine ADSelfService Plus Username Enumeration
Zoho ManageEngine ADSelfService Plus Username Enumeration
Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.
Affected: Zoho manageengine_adselfservice_plus
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://tracker.crowdsec.net/cves/CVE-2022-28987
No detection rules found.
Nuclei
Zoho ManageEngine ADSelfService Plus 6121 - Username Enumeration
nuclei·CVSS 5.3
CVE-2022-28987 [MEDIUM] Zoho ManageEngine ADSelfService Plus 6121 - Username Enumeration
Zoho ManageEngine ADSelfService Plus 6121 - Username Enumeration
Zoho ManageEngine ADSelfService Plus 6121 is vulnerable to username enumeration (CVE-2022-28987). The Forgot Password functionality responds differently for existing and non-existing users, allowing attackers to enumerate valid usernames.
Template:
id: CVE-2022-28987
info:
name: Zoho ManageEngine ADSelfService Plus 6121 - Username Enumeration
author: ritikchaddha
severity: medium
description: |
Zoho ManageEngine ADSelfService Plus 6121 is vulnerable to username enumeration (CVE-2022-28987). The Forgot Password functionality responds differently for existing and non-existing users, allowing attackers to enumerate valid usernames.
impact: |
Attackers can enumerate valid usernames, aiding targeted attacks or account harvesti
No writeups or analysis indexed.
https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.mdhttps://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.pyhttps://www.manageengine.com/products/self-service-password/advisory/CVE-2022-28987.htmlhttps://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.mdhttps://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.pyhttps://www.manageengine.com/products/self-service-password/advisory/CVE-2022-28987.html
2022-05-20
Published
Exploited in the wild