Main Vulnerability Database Exploits ID:7771 - Exploit for OS Command Injection in Zoho ManageEngine ADSelfService Plus - CVE-2022-28810

ID:7771 - Exploit for OS Command Injection in Zoho ManageEngine ADSelfService Plus - CVE-2022-28810

Published: May 12, 2022

Vulnerability identifier: #VU62035

Vulnerability risk: Medium

CVE-ID: CVE-2022-28810

CWE-ID: CWE-78

Exploitation vector: Remote access

Vulnerable software:
Zoho ManageEngine ADSelfService Plus

Link to public exploit:

https://www.rapid7.com/db/modules/exploit/windows/http/manageengine_adselfservice_plus_cve_2022_28810

Vulnerability description

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in password management functionality, when custom scripts for password sync with required providers are enabled. A remote authenticated user can pass specially crafted data to the application via the password field and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

ID:7771 - Exploit for OS Command Injection in Zoho ManageEngine ADSelfService Plus - CVE-2022-28810

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human