10 matches found
CVE-2022-28810
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with...
CISA's KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems
The U.S. Cybersecurity and Infrastructure Security Agency CISA has added three security flaws to its Known Exploited Vulnerabilities KEV catalog, citing evidence of active exploitation. The list of vulnerabilities is below - CVE-2022-35914 CVSS score: 9.8 - Teclib GLPI Remote Code Execution...
Zoho ManageEngine ADSelfService Plus Command Injection (CVE-2022-28810)
A command injection vulnerability exists in Zoho ManageEngine ADSelfService Plus. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system...
Metasploit Weekly Wrap-Up
ManageEngine ADSelfService Plus Authenticated RCE This module is pretty exciting for us because it's for a vulnerability discovered by our very own Rapid7 researchers Jake Baines, Hernan Diaz, Andrew Iwamaye, and Dan Kelly. The vulnerability allowed for attackers to leverage the "custom script"...
ManageEngine ADSelfService Plus Custom Script Execution
This module exploits the "custom script" feature of ADSelfService Plus. The feature was removed in build 6122 as part of the patch for CVE-2022-28810. For purposes of this module, a "custom script" is arbitrary operating system command execution. This module uses an attacker provided "admin"...
ManageEngine ADSelfService Plus Custom Script Execution Exploit
This Metasploit module exploits the "custom script" feature of ADSelfService Plus. The feature was removed in build 6122 as part of the patch for CVE-2022-28810. For purposes of this module, a "custom script" is arbitrary operating system command execution. This module uses an attacker provided...
ManageEngine ADSelfService Plus Custom Script Execution
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'ManageEngine ADSelfService Plus Custom Script Execution', 'Description' = %q This module exploits the "custom script" feature of ADSelfService...
CVE-2022-28810
creationtimestamp| type| source ---|---|--- 2022-04-18 16:24:09+00:00| seen| https://t.me/cibsecurity/41007 2022-04-20 19:41:20+00:00| seen| https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengineadselfservicepluscve202228810.rb 2023-03-08...
CVE-2022-28810
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with...
CVE-2022-28810
Affected product and version: Zoho ManageEngine ADSelfService Plus (pre-build 6122). Vulnerability type and impact: command injection via the policy custom script feature that allows a remote authenticated administrator to execute arbitrary OS commands as SYSTEM; exploitation could be facilitated...