CVE-2020-11532

CRITICAL

ManageEngine ADAudit Plus Xnode Enumeration

Title source: metasploit

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-11532. PoCs published by Sahil Dhar, Erik Wynter, including Metasploit module auxiliary/gather/manageengine_adaudit_plus_xnode_enum.

AI-analyzed exploit summary This Metasploit module exploits default admin credentials in ManageEngine ADAudit Plus to enumerate Xnode data repositories, which may contain Active Directory information. It supports both targeted and full data dumps via configurable options.

Description

Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to bypass authentication for this server and execute all operations in the context of admin user.

Exploits (2)

metasploit WORKING POC

by Sahil Dhar, Erik Wynter · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/manageengine_adaudit_plus_xnode_enum.rb

View Code ZIP pw:eip

This Metasploit module exploits default admin credentials in ManageEngine ADAudit Plus to enumerate Xnode data repositories, which may contain Active Directory information. It supports both targeted and full data dumps via configurable options.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: ManageEngine ADAudit Plus < 6.0.3 (6032)

Auth required

Prerequisites: Network access to port 29118 · Default or known credentials for Xnode server

MITRE ATT&CK

T1087 - Account Discovery T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

by Sahil Dhar, Erik Wynter · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/manageengine_datasecurity_plus_xnode_enum.rb

View Code ZIP pw:eip

This Metasploit module exploits default admin credentials in ManageEngine DataSecurity Plus to enumerate Xnode data repositories, potentially exposing Active Directory information. It supports both targeted and full data dumps via configurable options.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: ManageEngine DataSecurity Plus versions prior to 6.0.1 (6011)

Auth required

Prerequisites: Network access to target · Default or valid credentials for Xnode server

MITRE ATT&CK

T1087 - Account Discovery T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Mailing List, Third Party Advisory x_refsource_misc

http://seclists.org/fulldisclosure/2020/May/28

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/157609/ManageEngine-DataSecurity-Plus-Authentication-Bypass.html

Patch, Vendor Advisory x_refsource_confirm

https://pitstop.manageengine.com/portal/community/topic/upgrade-datasecurity-plus-to-the-build-6013-to-fix-security-issues

Scores

CVSS v3 9.8

EPSS 0.7748

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-1188

Status published

Products (2)

zohocorp/manageengine_adaudit_plus < 6.0.3

zohocorp/manageengine_datasecurity_plus < 6.0.1

Published May 08, 2020

Tracked Since Feb 18, 2026