CVE-2023-38743
Published: 11 September 2023
Summary
CVE-2023-38743 is a high-severity an unspecified weakness vulnerability in Zohocorp Manageengine Admanager Plus. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Zoho ManageEngine ADManager Plus versions prior to Build 7200 contain a vulnerability that permits administrative users to execute arbitrary commands directly on the underlying host operating system. The affected product is an enterprise tool for Active Directory management, and the flaw carries a CVSS 3.1 base score of 7.2 reflecting network-accessible, low-complexity exploitation that requires high privileges but yields complete confidentiality, integrity, and availability impact.
An authenticated administrator with network access to the ADManager Plus instance can leverage the issue to run operating-system commands under the privileges of the application service account. Successful exploitation therefore grants the attacker the ability to read or modify any data on the host, install persistent tooling, or disrupt the service and the broader Active Directory environment it manages.
The vendor advisory published by ManageEngine explicitly identifies the defect and states that upgrading to Build 7200 resolves the command-execution path. Organizations are advised to apply the update promptly and to restrict administrative access to the console to the smallest possible set of trusted accounts. The associated EPSS score has reached a peak of 0.2433 with a current value of 0.2063, indicating moderate and sustained public interest in the issue since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-42518
Vulnerability details
Zoho ManageEngine ADManager Plus before Build 7200 allows admin users to execute commands on the host machine.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.