CVE-2022-28810

MEDIUM KEV

ManageEngine ADSelfService Plus Custom Script Execution

Title source: metasploit

Description

Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Jake Baines, Hernan Diaz, Andrew Iwamaye, Dan Kelley · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2022_28810.rb

View Code ZIP pw:eip

References (5)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/166816/ManageEngine-ADSelfService-Plus-Custom-Script-Execution.html

[Exploit, Patch, Third Party Advisory] https://github.com/rapid7/metasploit-framework/pull/16475

[Patch, Vendor Advisory] https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.html

[Exploit, Patch, Technical Description, Third Party Advisory] https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-28810

Scores

CVSS v3 6.8

EPSS 0.9182

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Details

CISA KEV 2023-03-07

VulnCheck KEV 2022-04-14

InTheWild.io 2023-03-07

ENISA EUVD EUVD-2022-33248

CWE

CWE-78 CWE-798

Status published

Products (2)

zohocorp/manageengine_adselfservice_plus 6.1 (23 CPE variants)

zohocorp/manageengine_adselfservice_plus < 6.1

Published Apr 18, 2022

KEV Added Mar 07, 2023

Tracked Since Feb 18, 2026