cbcvebase.
CVE-2024-24409
published 2024-11-08

CVE-2024-24409: Zohocorp ManageEngine ADManager Plus versions 7203 and prior are vulnerable to Privilege Escalation in the Modify Computers option.

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.94%
89.1th percentile
Zohocorp ManageEngine ADManager Plus versions 7203 and prior are vulnerable to Privilege Escalation in the Modify Computers option.

Affected

9 ranges
VendorProductVersion rangeFixed in
manageengineadmanager_plus<= 7203
zohocorpmanageengine_admanager_plus
zohocorpmanageengine_admanager_plus
zohocorpmanageengine_admanager_plus
zohocorpmanageengine_admanager_plus
zohocorpmanageengine_admanager_plus
zohocorpmanageengine_admanager_plus
zohocorpmanageengine_admanager_plus
zohocorpmanageengine_admanager_plus

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409
  • Monitor for unexpected modification of the `userAccountControl` attribute on computer objects via ADManager Plus, which may indicate abuse of the Modify Computers role to set Unconstrained or Constrained Kerberos Delegation.
  • Monitor for unexpected modification of the `msDS-AllowedToDelegateTo` attribute on computer objects via ADManager Plus, which may indicate privilege escalation to Domain Admin via Constrained Kerberos Delegation abuse.
  • Alert on any non-administrator (technician) account setting Constrained Kerberos Delegation (msDS-AllowedToDelegateTo) on computer objects, as this requires SeEnableDelegationPrivilege which should only be held by BUILTIN\Administrators members.
  • Detect ADManager Plus technician accounts accessing CIFS, LDAP, or HOST services on domain controllers via Kerberos delegation tickets, which may indicate successful privilege escalation from Domain User to Domain Admin.
  • Audit ADManager Plus 'Modify Computers' role assignments; the Additional Custom Attribute property is silently granted alongside this role, enabling modification of sensitive AD attributes beyond what the UI indicates.
  • ·Vulnerability is exploitable only by technician users who have been granted the 'Modify Computers' predefined role in ADManager Plus; scope is limited to computer objects within the Organizational Unit delegated to that technician.
  • ·Affected versions are ADManager Plus Build 7203 and prior (below 7210); organizations running Build 7210 or later are not affected by this specific privilege escalation path.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.