CVE-2022-28810 Overview
CVE-2022-28810 is a command injection vulnerability affecting Zoho ManageEngine ADSelfService Plus before build 6122. This vulnerability allows a remote authenticated administrator to execute arbitrary operating system commands with SYSTEM-level privileges via the policy custom script feature. The risk is significantly amplified by the use of a default administrator password, which enables attackers to exploit this functionality with minimal effort. Additionally, a partially authenticated attacker may be able to inject arbitrary commands into the custom script feature through an unsanitized password field.
Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Successful exploitation grants SYSTEM-level command execution on the target server, potentially compromising the entire Active Directory infrastructure.
Affected Products
- Zoho ManageEngine ADSelfService Plus versions prior to build 6122
- Zoho ManageEngine ADSelfService Plus version 6.1 (builds 6100 through 6121)
- All instances using default administrator credentials
Discovery Timeline
- 2022-04-18 - CVE-2022-28810 published to NVD
- 2025-10-31 - Last updated in NVD database
Technical Details for CVE-2022-28810
Vulnerability Analysis
This vulnerability combines two weaknesses (CWE-78: OS Command Injection and CWE-798: Use of Hard-coded Credentials) to create a dangerous attack path. ManageEngine ADSelfService Plus includes a policy custom script feature that allows administrators to execute scripts during password reset operations. The vulnerability exists because this feature fails to properly sanitize user-supplied input before passing it to the underlying operating system shell.
The exploitation scenario is particularly concerning because ADSelfService Plus ships with default administrator credentials. An attacker who discovers an internet-exposed instance can leverage these default credentials to authenticate and then abuse the custom script functionality to execute arbitrary commands. Even without full administrative access, a partially authenticated attacker can inject commands through the unsanitized password field, which is processed by the custom script feature.
Root Cause
The root cause of this vulnerability is twofold. First, the custom script feature lacks proper input sanitization, allowing shell metacharacters and command sequences to be injected and executed. Second, the application ships with default administrator credentials that are often left unchanged in production deployments. This combination of improper input validation (CWE-78) and hard-coded credentials (CWE-798) creates a reliable attack vector for remote command execution.
Attack Vector
The attack is network-based and requires the attacker to have administrative access to the ManageEngine ADSelfService Plus web interface. Given the prevalence of default credentials, this requirement is often trivially met. The attacker authenticates to the application, navigates to the policy configuration section, and creates or modifies a custom script policy with malicious command injection payloads. When the policy is triggered (typically during a password reset operation), the injected commands execute with SYSTEM privileges on the Windows server hosting ADSelfService Plus.
An alternative attack path exists through the unsanitized password field, which allows partially authenticated users to inject commands without full administrative access. This expands the attack surface significantly.
Detection Methods for CVE-2022-28810
Indicators of Compromise
- Unexpected modifications to policy custom script configurations in ADSelfService Plus
- Command prompt (cmd.exe) or PowerShell processes spawned as child processes of the ADSelfService Plus application
- Network connections from the ADSelfService Plus server to unusual external destinations
- Evidence of credential dumping tools or reconnaissance commands in system logs
Detection Strategies
- Monitor process creation events for cmd.exe or powershell.exe processes spawned by the ADSelfService Plus Java process
- Implement web application firewall rules to detect command injection patterns in HTTP requests to ADSelfService Plus
- Review authentication logs for successful logins using the default administrator account
- Deploy endpoint detection rules to identify command execution patterns consistent with exploitation
Monitoring Recommendations
- Enable detailed logging for the ADSelfService Plus application and forward logs to a SIEM solution
- Configure alerts for any changes to policy custom script configurations
- Monitor for outbound network connections from the ADSelfService Plus server to non-standard ports
- Implement file integrity monitoring on ADSelfService Plus installation directories
How to Mitigate CVE-2022-28810
Immediate Actions Required
- Upgrade ManageEngine ADSelfService Plus to build 6122 or later immediately
- Change the default administrator password to a strong, unique credential
- Review existing policy custom scripts for any unauthorized or suspicious content
- Restrict network access to the ADSelfService Plus management interface to authorized IP ranges only
Patch Information
Zoho has released build 6122 of ManageEngine ADSelfService Plus to address this vulnerability. Organizations should update to this version or later as soon as possible. The official vendor advisory is available at the ManageEngine CVE-2022-28810 Advisory. Additional technical details and analysis are available from the Rapid7 Blog on CVE-2022-28810.
Workarounds
- Disable or remove the policy custom script feature if it is not operationally required
- Implement network segmentation to isolate the ADSelfService Plus server from untrusted networks
- Enable multi-factor authentication for administrative access to the application
- Deploy application-level access controls to restrict who can modify policy configurations
# Example: Restrict access to ADSelfService Plus management interface
# Add firewall rules to limit access to trusted administrator IP ranges
# Windows Firewall example:
netsh advfirewall firewall add rule name="Block ADSelfService External" dir=in action=block protocol=tcp localport=443
netsh advfirewall firewall add rule name="Allow ADSelfService Admin" dir=in action=allow protocol=tcp localport=443 remoteip=10.0.0.0/24
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
