CVE-2022-28810

What is Zoho ManageEngine ADSelfService Plus?

Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on solution for Active Directory environments. It allows end users to reset their own passwords, unlock accounts, and enroll in multi-factor authentication — reducing IT helpdesk burden. Because ADSelfService Plus is tightly integrated with Active Directory and often exposed to a broad user population (including remote workers), vulnerabilities in its password reset workflows can have significant impact on AD infrastructure security. ManageEngine products have been a recurring target for threat actors, with multiple CVEs added to CISA KEV.

Overview

CVE-2022-28810 is an OS command injection vulnerability (CWE-78) in Zoho ManageEngine ADSelfService Plus. During a password change or reset operation, the application passes user-supplied input to an underlying OS command without adequate sanitization, allowing an authenticated attacker with admin privileges to inject OS commands that execute on the server. ManageEngine patched this in Build 6122 (released April 9, 2022). CISA added it to KEV in March 2023, reflecting confirmed exploitation.

Affected Versions

Technical Details

The vulnerability exists in ADSelfService Plus's custom script execution functionality used during password change or reset operations. The product allows administrators to configure custom scripts that execute when a user changes or resets their password (for notification or provisioning purposes). The input passed to these script execution paths was not properly sanitized against OS command injection sequences:

• Root cause: User-controlled or admin-controlled input incorporated into OS command execution (CWE-78) without shell metacharacter escaping
• Authentication required: High — exploiting this vulnerability requires admin-level credentials in ADSelfService Plus
• User interaction: Required (an admin-level action that triggers the vulnerable code path)
• Impact: Full OS command execution on the ADSelfService Plus server in the context of the service account — often a domain-privileged account for AD integration
• AD integration risk: ADSelfService Plus typically runs as a service account with Active Directory write access for password reset operations; code execution on this server can compromise the AD-integrated service account

Discovery

Identified by ManageEngine's security team and disclosed via the Zoho ManageEngine security advisory. The CISA KEV addition in March 2023 — nearly a year after the patch — indicates exploitation was confirmed in the wild against unpatched deployments.

Exploitation Context

ManageEngine products have been targeted by nation-state actors and criminal groups due to their Active Directory integration and broad deployment in enterprise environments. Previous ManageEngine vulnerabilities (CVE-2021-44077, CVE-2021-40539) were exploited by APT groups including those affiliated with Chinese intelligence. CVE-2022-28810 follows this pattern — ADSelfService Plus's privileged integration with AD makes it a high-value target where compromise can quickly lead to domain escalation.

Remediation

1. Upgrade ADSelfService Plus to Build 6122 or later immediately
2. Restrict administrative access to the ADSelfService Plus management console to trusted IPs only
3. Run ADSelfService Plus under a least-privilege service account with only the AD permissions required (password reset, account unlock)
4. Review ADSelfService Plus audit logs for unexpected admin actions or unusual script executions
5. Monitor the ADSelfService Plus server for unexpected outbound connections or process spawning from the service process
6. If exposure is possible, review Active Directory for unauthorized accounts or privilege changes