PT-2023-4980 · Zoho · Zoho Manageengine Admanager Plus

Nguyen Quoc Viet

Publicado

2023-09-11

Atualizado

2023-10-04

CVE-2023-38743

CVSS v2.0

9.0

Alta

Vetor

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine ADManager Plus versions prior to Build 7200

Description The issue is related to insufficient access control in the Zoho ManageEngine ADManager Plus software for managing Active Directory services. It allows a remote attacker to execute arbitrary commands with superuser privileges. Admin users can execute commands on the host machine.

Recommendations For Zoho ManageEngine ADManager Plus versions prior to Build 7200, update to Build 7200 or later to resolve the issue. As a temporary workaround, consider restricting access to the installServiceWithCredentials command to minimize the risk of exploitation.

Exploit

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-264

Identificadores relacionados

BDU:2023-05519

CVE-2023-38743

ZDI-23-1488

Produtos afetados

Zoho Manageengine Admanager Plus

PT-2023-4980 · Zoho · Zoho Manageengine Admanager Plus

CVE-2023-38743

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 11