Cyber Resilience

CVE-2023-48793

Critical

Published: 02 February 2024

Published
02 February 2024
Modified
11 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0862 92.6th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-48793 is a critical-severity SQL Injection (CWE-89) vulnerability in Zohocorp Manageengine Adaudit Plus. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 7.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Zoho ManageEngine ADAudit Plus through version 7250 contains a SQL injection vulnerability in its aggregate report feature, tracked as CVE-2023-48793 and assigned CWE-89. The flaw carries a CVSS 3.1 score of 9.8, reflecting network attack vector, low complexity, and no requirements for authentication or user interaction, resulting in complete loss of confidentiality, integrity, and availability.

An unauthenticated remote attacker can supply crafted input to the affected report component and execute arbitrary SQL commands against the underlying database. Successful exploitation grants the ability to read, modify, or delete data and potentially escalate to full system compromise depending on database privileges.

Vendor references point to a targeted fix published at manageengine.com/products/active-directory-audit/sqlfix-7271.html, indicating that administrators should apply the SQL fix released for build 7271 or later to eliminate the injection vector.

EPSS remains flat at 0.0862 with no upward trajectory after disclosure, and no public evidence of in-the-wild exploitation has been recorded.

EU & UK References

Vulnerability details

Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zohocorp
manageengine adaudit plus
7.2 · ≤ 7.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References