7.1
CVE-2022-28810
- EPSS 91.61%
- Published 18.04.2022 13:15:08
- Last modified 27.03.2025 13:58:07
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.
Data is provided by the National Vulnerability Database (NVD)
Zohocorp ≫ Manageengine Adselfservice Plus Version < 6.1
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update-
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6100
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6101
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6102
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6103
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6104
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6105
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6106
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6107
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6108
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6109
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6110
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6111
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6112
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6113
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6114
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6115
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6116
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6117
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6118
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6119
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6120
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6121
07.03.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog
Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability
VulnerabilityZoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset.
DescriptionApply updates per vendor instructions.
Required actions| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 91.61% | 0.997 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 6.8 | 0.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.1 | 3.9 | 10 |
AV:N/AC:H/Au:S/C:C/I:C/A:C
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.8 | 0.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-798 Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.