Cyber Resilience

CVE-2022-28810

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 18 April 2022

Published
18 April 2022
Modified
31 October 2025
KEV Added
07 March 2023
Patch
14 April 2022
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9038 99.6th percentile
Risk Priority 88 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-28810 is a medium-severity OS Command Injection (CWE-78) vulnerability in Zohocorp Manageengine Adselfservice Plus. Its CVSS base score is 6.8 (Medium).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-10 (Information Input Validation).

Deeper analysis

Zoho ManageEngine ADSelfService Plus versions prior to build 6122 contain an OS command injection vulnerability that permits a remote authenticated administrator to execute arbitrary commands as SYSTEM through the policy custom script feature. The issue stems from insufficient input sanitization, specifically an unsanitized password field, and is compounded by the use of a default administrator password. The flaw is tracked under CWE-78 and CWE-798 with a CVSS 3.1 score of 6.8.

An attacker who obtains or guesses the default credentials, or who already possesses administrative access, can leverage the custom script functionality to run operating-system commands. A partially authenticated remote attacker may also achieve command injection by supplying crafted input through the unsanitized password field, resulting in full system compromise without further authentication.

Vendor guidance and public advisories direct administrators to upgrade to build 6122 or later; the ManageEngine knowledge-base article and Rapid7 analysis both describe the fixed version and the removal of the default credential exposure. Public exploit code, including a Metasploit module, has been released, and the CVE maintains a high EPSS score that reached a peak of 0.9640, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to…

more

abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.

CWE(s)
KEV Date Added
07 March 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zohocorp
manageengine adselfservice plus
6.1 · ≤ 6.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires replacement of default authenticators and enforcement of strong, unique passwords, blocking the low-effort default-credential path to the custom-script feature.

prevent

Mandates validation and sanitization of all input fields, eliminating the unsanitized password field that permits OS command injection.

prevent

Enforces least privilege so that even authenticated administrators cannot execute arbitrary commands as SYSTEM via the policy script feature.

References