CVE-2022-34829
Published: 04 July 2022
Summary
CVE-2022-34829 is a high-severity an unspecified weakness vulnerability in Zohocorp Manageengine Adselfservice Plus. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Zoho ManageEngine ADSelfService Plus versions prior to 6203 contain a denial-of-service vulnerability in the Mobile App Deployment API. An unauthenticated remote attacker can submit a specially crafted payload that forces the application to restart, resulting in a high-impact availability loss without affecting confidentiality or integrity. The flaw carries a CVSS 3.1 base score of 7.5 and is tracked under NVD-CWE-noinfo.
Because the attack requires no credentials and can be launched over the network, any internet-facing or internally reachable instance is exposed. An adversary needs only to deliver the malicious request once to trigger the restart, enabling repeated disruption with minimal effort.
The vendor published an advisory at https://www.manageengine.com/products/self-service-password/advisory/CVE-2022-34829.html that addresses the issue; administrators should apply the fix or upgrade to version 6203 or later to eliminate the exposure. The associated EPSS score has remained flat at its peak value of 0.2547 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-37735
Vulnerability details
Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.