CVE-2022-28810

MEDIUM KEV

ManageEngine ADSelfService Plus Custom Script Execution

Title source: metasploit

Exploitation Summary

CVE-2022-28810 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 7, 2023. EIP tracks 1 public exploit from researchers including Jake Baines, Hernan Diaz, Andrew Iwamaye, Dan Kelley, including a Metasploit module exploits/windows/http/manageengine_adselfservice_plus_cve_2022_28810.

AI-analyzed exploit summary This Metasploit module exploits CVE-2022-28810, an authenticated command execution vulnerability in ManageEngine ADSelfService Plus. It leverages the 'custom script' feature to execute arbitrary commands as SYSTEM when a user resets their password or unlocks their account.

Description

Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Jake Baines, Hernan Diaz, Andrew Iwamaye, Dan Kelley · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2022_28810.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-28810, an authenticated command execution vulnerability in ManageEngine ADSelfService Plus. It leverages the 'custom script' feature to execute arbitrary commands as SYSTEM when a user resets their password or unlocks their account.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ManageEngine ADSelfService Plus (builds < 6122)

Auth required

Prerequisites: Valid admin credentials (default: admin:admin) · User interaction to trigger payload

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Patch, Vendor Advisory x_refsource_misc

https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/166816/ManageEngine-ADSelfService-Plus-Custom-Script-Execution.html

Exploit, Patch, Third Party Advisory x_refsource_misc

https://github.com/rapid7/metasploit-framework/pull/16475

Exploit, Patch, Technical Description, Third Party Advisory x_refsource_misc

https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-28810

Scores

CVSS v3 6.8

EPSS 0.7042

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2023-03-07

VulnCheck KEV 2022-04-14

InTheWild.io 2023-03-07

ENISA EUVD EUVD-2022-33248

CWE

CWE-78 CWE-798

Status published

Products (2)

zohocorp/manageengine_adselfservice_plus 6.1 (23 CPE variants)

zohocorp/manageengine_adselfservice_plus < 6.1

Published Apr 18, 2022

KEV Added Mar 07, 2023

Tracked Since Feb 18, 2026