CVE-2022-28810

6.8

CVSS
Medium

PUBLISHED

Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as...

Exploited in the wild Remote Low complexity

Vendor: Zoho
Product: ManageEngine ADSelfService Plus
Published: Apr 18, 2022
EPSS: —

Description

Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.

cisa metasploit

CVSS scores

CVSS v3.1 6.8 Medium

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CVSS v2.0 7.1

AV:N/AC:H/Au:S/C:C/I:C/A:C

Exploitation status

Exploited in the wild

Recorded 2023-03-07 00:00:00 UTC · Source

SSVC decision points

Exploitation: active
Automatable: No
Technical impact: total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
CISA	Mar 07, 2023

Scanner integrations

Scanner	Reference	Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2022_28810.rb	Apr 28, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

manageengine_adselfservice_plus_cve_2022_28810

metasploit · Created Unknown

Metasploit module for CVE-2022-28810

Vulnerability detail