Cyber Resilience

CVE-2022-28987

MediumPublic PoC

Published: 20 May 2022

Published
20 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.1117 93.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-28987 is a medium-severity an unspecified weakness vulnerability in Zohocorp Manageengine Adselfservice Plus. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Zoho ManageEngine ADSelfService Plus versions prior to 6202 contain a username enumeration flaw that permits unauthenticated remote attackers to determine the existence of valid usernames by submitting specially crafted POST requests to the /ServletAPI/accounts/login endpoint. The issue is rated CVSS 5.3 and results in limited information disclosure without requiring authentication or user interaction.

An attacker with network access can repeatedly probe the login servlet to harvest valid account names, which can then be used to focus subsequent attacks such as password guessing or targeted phishing. Because the request requires no credentials, the enumeration can be performed at scale from any internet-facing position.

The vendor advisory published by ManageEngine directs customers to upgrade to ADSelfService Plus build 6202 or later, which contains the fix for the enumeration vector. No workarounds are specified in the available references.

The associated EPSS score reached a peak of 0.1660 and currently sits at 0.1117, indicating moderate and sustained public interest in the issue after disclosure.

EU & UK References

Vulnerability details

Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zohocorp
manageengine adselfservice plus
6.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References