CVE-2019-12476

MEDIUM

ManageEngine ADSelfService Plus < 5.0.6 - Authentication Bypass via Password Reset Keyboard Input Sequence

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-12476. PoCs published by 0katz.

AI-analyzed exploit summary This repository contains a functional HID script exploit for CVE-2019-12476, an authentication bypass vulnerability in ADSelfService Plus. The script automates keyboard inputs to bypass authentication and execute PowerShell, demonstrating unauthenticated remote code execution.

Description

An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence of crafted keyboard input.

Exploits (1)

nomisec WORKING POC 44 stars
by 0katz · poc
https://github.com/0katz/CVE-2019-12476

This repository contains a functional HID script exploit for CVE-2019-12476, an authentication bypass vulnerability in ADSelfService Plus. The script automates keyboard inputs to bypass authentication and execute PowerShell, demonstrating unauthenticated remote code execution.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: ADSelfService Plus version 4.3.3
No auth needed
Prerequisites: Physical access or HID device emulation (e.g., P4wnP1_aloa) · Target system running ADSelfService Plus 4.3.3
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/0katz/CVE-2019-12476
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/108813

Scores

CVSS v3 6.8
EPSS 0.0153
EPSS Percentile 71.4%
Attack Vector PHYSICAL
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-640
Status published
Products (1)
zohocorp/manageengine_adselfservice_plus 4.3.3 - 5.0.6
Published Jun 17, 2019
Tracked Since Feb 18, 2026