CVE-2024-5586: 
Zoho ManageEngine ADAudit Plus vulnerability analysis and mitigation

Zohocorp ManageEngine ADAudit Plus versions below 8121 contain an authenticated SQL injection vulnerability in the extranet lockouts report option. The vulnerability was discovered and fixed on August 19, 2024, with the release of build 8121 (Vendor Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-89 (SQL Injection), allowing authenticated users to execute custom queries against the database through the extranet lockouts report feature (NVD).

This vulnerability could enable an authenticated attacker to execute arbitrary SQL queries and access database table entries through the vulnerable request. The high severity rating indicates potential for significant data exposure and system compromise (Vendor Advisory).

Organizations should immediately update their ADAudit Plus installation to build 8121 or later using the service pack. This build contains the fix for the SQL injection vulnerability (Vendor Advisory).

The vulnerability was responsibly disclosed by security researcher minhgalaxy (Vendor Advisory).