PT-2023-4980 · Zoho · Zoho Manageengine Admanager Plus
Nguyen Quoc Viet
+1
·
Published
2023-09-11
·
Updated
2023-10-04
·
CVE-2023-38743
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Zoho ManageEngine ADManager Plus versions prior to Build 7200
Description
The issue is related to insufficient access control in the Zoho ManageEngine ADManager Plus software for managing Active Directory services. It allows a remote attacker to execute arbitrary commands with superuser privileges. Admin users can execute commands on the host machine.
Recommendations
For Zoho ManageEngine ADManager Plus versions prior to Build 7200, update to Build 7200 or later to resolve the issue. As a temporary workaround, consider restricting access to the
installServiceWithCredentials command to minimize the risk of exploitation.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zoho Manageengine Admanager Plus