CVE-2023-48793
Published: 02 February 2024
Summary
CVE-2023-48793 is a critical-severity SQL Injection (CWE-89) vulnerability in Zohocorp Manageengine Adaudit Plus. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Zoho ManageEngine ADAudit Plus through version 7250 contains a SQL injection vulnerability in its aggregate report feature, tracked as CVE-2023-48793 and assigned CWE-89. The flaw carries a CVSS 3.1 score of 9.8, reflecting network attack vector, low complexity, and no requirements for authentication or user interaction, resulting in complete loss of confidentiality, integrity, and availability.
An unauthenticated remote attacker can supply crafted input to the affected report component and execute arbitrary SQL commands against the underlying database. Successful exploitation grants the ability to read, modify, or delete data and potentially escalate to full system compromise depending on database privileges.
Vendor references point to a targeted fix published at manageengine.com/products/active-directory-audit/sqlfix-7271.html, indicating that administrators should apply the SQL fix released for build 7271 or later to eliminate the injection vector.
EPSS remains flat at 0.0862 with no upward trajectory after disclosure, and no public evidence of in-the-wild exploitation has been recorded.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-52826
Vulnerability details
Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.