CVE-2022-28810

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine ADSelfService Plus versions prior to 6122

Description The issue allows a remote authenticated administrator to execute arbitrary operating system commands as SYSTEM via the policy custom script feature. This can be exploited due to the use of a default administrator password, making it easier for attackers to abuse this functionality. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field, specifically the password field. This vulnerability can be exploited when a certain password sync feature is enabled, which uses passwords as script arguments, allowing for remote code execution via executable CMD.EXE input.

Recommendations For versions prior to 6122, update to a version that includes the fix for this issue, specifically build 6122 or later, to prevent remote code execution. As a temporary workaround, consider disabling the policy custom script feature until a patch is available. Restrict access to the password sync feature that uses passwords as script arguments to minimize the risk of exploitation. Avoid using the password field in the custom script until the issue is resolved.