CVE-2022-28810: 
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation

CVE-2022-28810 is a high-severity vulnerability in Zoho ManageEngine ADSelfService Plus affecting builds 6121 and below, discovered in April 2022. The vulnerability allows a remote authenticated administrator to execute arbitrary operating system commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password (admin), attackers could abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker could inject arbitrary commands into the custom script due to an unsanitized password field (Rapid7 Blog, ManageEngine Advisory).

The vulnerability stems from a feature that allowed the admin user to execute arbitrary operating system commands after a password reset or account lockout status update. The functionality was accessible through the web interface where administrators could configure custom scripts to run during password synchronization. The vulnerability existed because the %password% variable was passed to the configured script without proper sanitization, allowing command injection. For example, if an admin configured a script like 'cmd.exe /c echo %username% %password%', an attacker could inject arbitrary commands through the password field (Rapid7 Blog).

The vulnerability allows authenticated attackers to execute remote code on the machine where ADSelfService Plus is installed, running with SYSTEM privileges. Additionally, because passwords weren't properly sanitized or obfuscated, the admin user could potentially observe all password changes, effectively allowing the recovery of valid credentials for Active Directory accounts (Rapid7 Blog, ManageEngine Advisory).

ManageEngine fixed this vulnerability in ADSelfService Plus build 6122, released on April 9, 2022. The patch includes several security improvements: only VBScript and PowerShell files are allowed for custom scripts, all scripts must be stored in the /Scripts folder, passwords are now encoded and sent as string literals instead of arguments, and scripts must be placed on disk by a user with local system access rather than through the web interface. Organizations are strongly advised to upgrade to build 6122 or later and change the default admin password (ManageEngine Advisory).

The vulnerability was initially discovered in the wild by Rapid7's MDR team and was reported through Zoho's Bug Bounty program. The discovery was credited to Rapid7 researchers Jake Baines, Hernan Diaz, Andrew Iwamaye, and Dan Kelly. Due to its active exploitation, CISA added this vulnerability to their Known Exploited Vulnerabilities Catalog on March 7, 2023, requiring federal agencies to address it according to BOD 22-01 (CISA Alert, Rapid7 Blog).