cbcvebase.
CVE-2022-29457
published 2022-04-18

CVE-2022-29457: Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
7.72%
93.9th percentile
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

Affected

8 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_adaudit_plus< 7.0.07.0.0
zohocorpmanageengine_adaudit_plus
zohocorpmanageengine_admanager_plus< 7.17.1
zohocorpmanageengine_admanager_plus
zohocorpmanageengine_adselfservice_plus< 6.16.1
zohocorpmanageengine_adselfservice_plus
zohocorpmanageengine_exchange_reporter_plus< 5.75.7
zohocorpmanageengine_exchange_reporter_plus

Detection & IOCsextracted from sources · hover to see the quote

urlj_security_check
urlwebclient/index.html
urlServletAPI/Reports/saveReportScheduler
cookie_zcsr_tmp
path\\<listener>\share
  • Monitor for POST requests to the endpoint `ServletAPI/Reports/saveReportScheduler` containing a UNC path (e.g., `\\<attacker-IP>\share`) in the `STORAGE_PATH` parameter — this is the core exploitation step that triggers outbound NTLM authentication to an attacker-controlled SMB server.
  • Alert on outbound SMB (TCP 445) connections originating from ManageEngine ADSelfService Plus / ADAuditPlus / Exchange Reporter Plus / ADManagerPlus service accounts to external or unexpected hosts, as the exploit forces the server to authenticate to an attacker SMB listener, leaking NTLMv2 hashes.
  • Detect the patched-state indicator: a patched target returns the string `adssp.reports.schedule_reports.storage_path.unc_storage_path` in the response body when a UNC STORAGE_PATH is submitted. Absence of this string on vulnerable builds means the UNC path was accepted.
  • Flag NTLM relay attempts: the exploit explicitly supports relaying captured hashes to SMB (`-t smb://TARGET`) or LDAP/LDAPS (`-t ldaps://TARGET`) via ntlmrelayx, so monitor for unexpected NTLM authentications on internal SMB/LDAP services.
  • ·The vulnerability affects multiple ManageEngine products across different version thresholds; ensure patching covers all affected products (ADSelfService Plus < 6121, ADAuditPlus < 7060, Exchange Reporter Plus < 5701, ADManagerPlus < 7131).
  • ·The exploit requires valid application credentials (either an ADSelfService Plus local account or a domain user account) to authenticate before triggering the NTLM leak — the vulnerability is exploitable by authenticated low-privileged users, not just admins.
  • ·The NTLMv2 hash capture is not immediate; the scheduled report fires approximately every 5 minutes, meaning defenders have a short window to detect the malicious scheduler entry before hash exfiltration occurs.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.