CVE-2022-28219

CRITICAL EXPLOITED NUCLEI LAB

ManageEngine ADAudit Plus CVE-2022-28219

Title source: metasploit

Exploitation Summary

CVE-2022-28219 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including horizon3ai, rbowes-r7, aeifkz, including a Metasploit module exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2022-28219, a deserialization vulnerability in Apache Solr, by crafting a malicious XML payload with XXE and Java deserialization to achieve remote code execution. It includes a custom web server to host malicious DTD and JAR files for payload delivery.

Description

Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.

Exploits (4)

nomisec WORKING POC 45 stars

by horizon3ai · remote

https://github.com/horizon3ai/CVE-2022-28219

View Code ZIP pw:eip

This PoC exploits CVE-2022-28219, a deserialization vulnerability in Apache Solr, by crafting a malicious XML payload with XXE and Java deserialization to achieve remote code execution. It includes a custom web server to host malicious DTD and JAR files for payload delivery.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Apache Solr (versions affected by CVE-2022-28219)

No auth needed

Prerequisites: Network access to vulnerable Apache Solr instance · Ability to send crafted HTTP requests to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1213 - Data from Information Repositories

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by rbowes-r7 · poc

https://github.com/rbowes-r7/manageengine-auditad-cve-2022-28219

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2022-28219, an XXE vulnerability in ManageEngine ADAudit Plus. The exploit demonstrates file reading, password hash retrieval, and arbitrary file planting via XXE and deserialization attacks.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: ManageEngine ADAudit Plus

No auth needed

Prerequisites: Network access to the target server · Ruby and required gems installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1213 - Data from Information Repositories

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec STUB 1 stars

by aeifkz · poc

https://github.com/aeifkz/CVE-2022-28219-Like

View Code ZIP pw:eip

This repository contains a stub implementation mimicking CVE-2022-28219, focusing on XML parsing in a servlet. It lacks exploit payloads or offensive techniques, serving as a basic test environment.

Classification

Stub 80%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Custom servlet application

No auth needed

Prerequisites: Access to the servlet endpoint

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Naveen Sunkavally, Ron Bowes · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-28219, a combination of path traversal and blind XXE vulnerabilities in ManageEngine ADAudit Plus to upload and execute a malicious payload. It leverages Java deserialization for remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: ManageEngine ADAudit Plus (versions before build 7060)

No auth needed

Prerequisites: Network access to the target server · Target server running a vulnerable version of ADAudit Plus

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Zoho ManageEngine ADAudit Plus <7600 - XML Entity Injection/Remote Code Execution

CRITICALVERIFIEDby dwisiswant0

Shodan:

http.title:"ADAudit Plus" || http.title:"ManageEngine - ADManager Plus" || http.title:"adaudit plus" || http.title:"manageengine - admanager plus"

FOFA: title="adaudit plus" || http.title:"manageengine - admanager plus"

References (5)

Core 5

Core References

Vendor Advisory x_refsource_misc

https://manageengine.com

Patch, Vendor Advisory x_refsource_confirm

https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html

Exploit, Third Party Advisory x_refsource_misc

https://www.horizon3.ai/red-team-blog-cve-2022-28219/

Product, Third Party Advisory x_refsource_misc

http://cewolf.sourceforge.net/new/index.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/167997/ManageEngine-ADAudit-Plus-Path-Traversal-XML-Injection.html

Scores

CVSS v3 9.8

EPSS 0.9420

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull tomcat:8.0.42-jre8

https://github.com/horizon3ai/CVE-2022-28219

https://github.com/rbowes-r7/manageengine-auditad-cve-2022-28219

https://github.com/aeifkz/CVE-2022-28219-Like

+1 more repos

View in Library

Details

VulnCheck KEV 2023-11-13

CWE

CWE-611

Status published

Products (2)

zohocorp/manageengine_adaudit_plus 7.0 7000 (13 CPE variants)

zohocorp/manageengine_adaudit_plus < 6.0

Published Apr 05, 2022

Tracked Since Feb 18, 2026