CVE-2022-28987
Published: 20 May 2022
Summary
CVE-2022-28987 is a medium-severity an unspecified weakness vulnerability in Zohocorp Manageengine Adselfservice Plus. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Zoho ManageEngine ADSelfService Plus versions prior to 6202 contain a username enumeration flaw that permits unauthenticated remote attackers to determine the existence of valid usernames by submitting specially crafted POST requests to the /ServletAPI/accounts/login endpoint. The issue is rated CVSS 5.3 and results in limited information disclosure without requiring authentication or user interaction.
An attacker with network access can repeatedly probe the login servlet to harvest valid account names, which can then be used to focus subsequent attacks such as password guessing or targeted phishing. Because the request requires no credentials, the enumeration can be performed at scale from any internet-facing position.
The vendor advisory published by ManageEngine directs customers to upgrade to ADSelfService Plus build 6202 or later, which contains the fix for the enumeration vector. No workarounds are specified in the available references.
The associated EPSS score reached a peak of 0.1660 and currently sits at 0.1117, indicating moderate and sustained public interest in the issue after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-33418
Vulnerability details
Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.