Cyber Resilience

CVE-2023-29084

HighPublic PoCRCE

Published: 13 April 2023

Published
13 April 2023
Modified
07 February 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9388 99.9th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29084 is a high-severity Command Injection (CWE-77) vulnerability in Zohocorp Manageengine Admanager Plus. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Zoho ManageEngine ADManager Plus versions prior to 7181 contain a command injection vulnerability, tracked as CVE-2023-29084 and assigned CWE-77, that is reachable through the Proxy settings configuration. The flaw received a CVSS 3.1 score of 7.2, reflecting network attack vector, low attack complexity, and requirements for high privileges.

Authenticated users with administrative access can supply crafted input to the Proxy settings and execute arbitrary operating-system commands on the server, resulting in full compromise of confidentiality, integrity, and availability of the affected instance.

Vendor references point to a ManageEngine knowledge-base article that addresses the issue, and public exploit code has been posted to Packet Storm. The associated EPSS score stands at 0.9388 with a recorded peak of 0.9389, indicating sustained high exploitation probability since disclosure.

EU & UK References

Vulnerability details

Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zohocorp
manageengine admanager plus
7.1 · ≤ 7.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References