CVE-2022-28810 is a vulnerability in Zoho Corp Manageengine Adselfservice Plus
Published on April 18, 2022
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.
Known Exploited Vulnerability
This Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Multiple Zoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset.
The following remediation steps are recommended / required by March 28, 2023: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2022-28810 is exploitable with network access, requires user interaction and user privileges. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Products Associated with CVE-2022-28810
Want to know whenever a new CVE is published for Zoho Corp Manageengine Adselfservice Plus? stack.watch will email you.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.