Cyber Resilience

CVE-2022-28219

CriticalPublic PoC

Published: 05 April 2022

Published
05 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9420 99.9th percentile
Risk Priority 76 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-28219 is a critical-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Zohocorp Manageengine Adaudit Plus. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Cewolf, a charting component bundled in Zoho ManageEngine ADAudit Plus versions prior to 7060, contains an unauthenticated XML External Entity vulnerability (CWE-611) that can be triggered over the network. The flaw carries a CVSS 3.1 score of 9.8 and permits remote code execution with full confidentiality, integrity, and availability impact.

An attacker with no credentials can submit a crafted XML payload to the affected Cewolf endpoint, causing the server to process external entities and ultimately execute arbitrary code on the underlying host.

Vendor guidance and public advisories direct administrators to upgrade ADAudit Plus to release 7060 or later; the same references also document the availability of a targeted patch that removes the vulnerable Cewolf configuration.

The CVE maintains a very high EPSS score, currently 0.9420 with a recorded peak of 0.9723, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zohocorp
manageengine adaudit plus
7.0 · ≤ 6.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-611

Penetration testing includes XML external entity payloads, detecting XXE vulnerabilities and enabling their mitigation.

addresses: CWE-611

Identifies XML external entity processing via monitoring of unusual file/network access or resource usage.

References