cbcvebase.
CVE-2023-29084
published 2023-04-13

CVE-2023-29084: Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings.

PriorityP269high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
98.39%
99.9th percentile
Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings.

Affected

2 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_admanager_plus< 7.17.1
zohocorpmanageengine_admanager_plus

Detection & IOCsextracted from sources · hover to see the quote

url/api/json/admin/saveServerSettings
url/j_security_check
commandnslookup.exe {{interactsh-url}} 1.1.1.1
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine RecoveryManager Plus updateProxySettings Command Injection (CVE-2023-48646)"; flow:established,to_server; http.uri; content:"/api/json/admin/saveServerSettings"; fast_pattern; http.request_body; content:"admpcsrf|3d|"; content:"|22|PASSWORD|22 3a|"; pcre:"/^\s*\x22[^\x22]*?(?:\x5cr|\x5cn|[\x3b\x26\x60\x7c\x24])/R"; reference:url,hnd3884.github.io/posts/CVE-2023-29084-Command-injection-in-ManageEngine-ADManager-plus/; reference:cve,2023-48646; classtype:web-application-attack; sid:2066204; rev:1; metadata:affected_product Zoho_ManageEngine, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_09, cve CVE_2023_48646, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit POST request targets /api/json/admin/saveServerSettings with a JSON params array containing a PASSWORD or USERNAME field with an embedded CRLF (\r\n) followed by the injected OS command, used to abuse proxy settings.
  • Exploit flow requires prior authentication via POST to /j_security_check with is_admp_pass_encrypted=false, followed by a GET to /home.do to extract the admpcsrf CSRF token from response headers before sending the injection payload.
  • Successful exploitation response body contains both '{"message":"' and 'Proxy Settings', which can be used as a detection matcher for the exploit's HTTP response.
  • The Snort/ET rule detects the attack by matching the URI /api/json/admin/saveServerSettings, the POST body containing admpcsrf= and a PASSWORD field whose value starts with a quoted string containing CR, LF, or shell metacharacters (;, &, `, |, $).
  • The injection is delivered via the ChangePasswordAction function; the CRLF sequence in USERNAME or PASSWORD breaks out of the proxy settings string and causes the trailing content to be executed as an OS command by the server process (typically running as local administrator on Windows).
  • DNS callback (OOB) via nslookup.exe is used to confirm blind RCE; monitor for unexpected DNS lookups originating from ADManager Plus server processes.
  • The X-Requested-With: XMLHttpRequest header is present in the exploit's injection request; its absence or presence alongside the malicious POST body can aid in distinguishing exploit traffic.
  • ·Exploitation requires prior valid authentication to ADManager Plus; unauthenticated attackers cannot reach the vulnerable endpoint /api/json/admin/saveServerSettings.
  • ·The exploit modifies the HTTP proxy settings for the entire ADManager Plus server as a side effect; fetch/HTTP-based payloads will be disrupted by the changed proxy configuration.
  • ·The ET Snort rule (sid:2066204) is formally attributed to CVE-2023-48646 (RecoveryManager Plus) but references the CVE-2023-29084 ADManager Plus research blog; verify applicability before deploying against ADManager Plus traffic.
  • ·The ET rule requires TLS decryption to be effective, as indicated by the tls_state and deployment metadata.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.