CVE-2022-26653: 
Zoho ManageEngine Remote Access Plus vulnerability analysis and mitigation

Zoho ManageEngine Remote Access Plus before version 10.1.2137.15 contained a vulnerability that allowed guest users to view sensitive domain details, including administrator usernames and GUIDs. The vulnerability was discovered by Matt Dunn and disclosed on February 16, 2022, with a fix released on April 8, 2022 (Raxis Blog, ManageEngine Advisory).

The vulnerability was classified as an Insecure Direct Object Reference (IDOR) issue where authenticated guest users could make direct requests to the /dcapi/ API endpoint to retrieve administrative information. The vulnerability received a CVSS v3.1 base score of 5.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity (NVD).

The vulnerability allowed guest users to access sensitive domain information including connected Domain Controller details, authentication account information, and update timestamps. This unauthorized access to administrative information could potentially be used for reconnaissance in further attacks (Raxis Blog).

The vulnerability was patched in ManageEngine Remote Access Plus version 10.1.2137.15, released on April 8, 2022. The fix restricts domain API access to administrators only. Users are advised to upgrade to this version or later. The vulnerability does not affect Remote Access Plus Cloud installations (ManageEngine Advisory).