4 July 2022

Security researcher published PoC exploit for Zoho ManageEngine ADAudit Plus bug


Security researcher published PoC exploit for Zoho ManageEngine ADAudit Plus bug

Security researcher Naveen Sunkavally from Horizon3.ai uncovered technical details and published a proof-of-concept exploit code for a high severity vulnerability (CVE-2022-28219) in Zoho ManageEngine ADAudit Plus, a compliance tool used by enterprises to monitor changes to Active Directory.

Using this vulnerability, a cybercriminal can get the remote access to sensitive information. The flaw exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.

According to Sunkavally, he found an endpoint managed by the CewolfRenderer servlet in the third-party Cewolf charting library. This fact interested him, and he decided to dig deeper.

It turned out that this was the same vulnerable endpoint from CVE-2020-10189, reported by researcher Steven Seeley against ManageEngine Desktop Central. As per Sunkavally, the FileStorage class in this library was abused for remote code execution via untrusted Java deserialization.

First, the researcher found out how to execute code remotely. The next thing he did was find a way to upload files without authentication. Sunkavally discovered that some ADAudit Plus endpoints used by agents running on the machine to upload security events did not require authentication. Then he managed to trigger a blind XXE vulnerability in the ProcessTrackingListener class which manages events with Windows scheduled task XML content.

The malicious actor can attack the affected ADAudit Plus instance, obtain credentials for the Active Directory and use this access to infect all the systems connected to the network with malaware.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024