CVE-2022-28810
Published: 18 April 2022
Summary
CVE-2022-28810 is a medium-severity OS Command Injection (CWE-78) vulnerability in Zohocorp Manageengine Adselfservice Plus. Its CVSS base score is 6.8 (Medium).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-10 (Information Input Validation).
Deeper analysis
Zoho ManageEngine ADSelfService Plus versions prior to build 6122 contain an OS command injection vulnerability that permits a remote authenticated administrator to execute arbitrary commands as SYSTEM through the policy custom script feature. The issue stems from insufficient input sanitization, specifically an unsanitized password field, and is compounded by the use of a default administrator password. The flaw is tracked under CWE-78 and CWE-798 with a CVSS 3.1 score of 6.8.
An attacker who obtains or guesses the default credentials, or who already possesses administrative access, can leverage the custom script functionality to run operating-system commands. A partially authenticated remote attacker may also achieve command injection by supplying crafted input through the unsanitized password field, resulting in full system compromise without further authentication.
Vendor guidance and public advisories direct administrators to upgrade to build 6122 or later; the ManageEngine knowledge-base article and Rapid7 analysis both describe the fixed version and the removal of the default credential exposure. Public exploit code, including a Metasploit module, has been released, and the CVE maintains a high EPSS score that reached a peak of 0.9640, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-33248
Vulnerability details
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to…
more
abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.
- CWE(s)
- KEV Date Added
- 07 March 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires replacement of default authenticators and enforcement of strong, unique passwords, blocking the low-effort default-credential path to the custom-script feature.
Mandates validation and sanitization of all input fields, eliminating the unsanitized password field that permits OS command injection.
Enforces least privilege so that even authenticated administrators cannot execute arbitrary commands as SYSTEM via the policy script feature.