CVE-2026-1367 Overview
CVE-2026-1367 is an authenticated SQL injection vulnerability in Zohocorp ManageEngine ADSelfService Plus versions 6522 and below. The flaw exists in the search report option of the self-service password management application. An attacker with low-privileged authenticated access can inject arbitrary SQL statements through this feature. Successful exploitation can lead to unauthorized data access, modification of backend records, and partial impact to application availability. The vulnerability is classified under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Authenticated attackers can read and modify sensitive identity data stored in the ADSelfService Plus database, including password reset records and Active Directory configuration information.
Affected Products
- Zohocorp ManageEngine ADSelfService Plus version 6522
- Zohocorp ManageEngine ADSelfService Plus versions below 6522
- Self-service password management deployments leveraging the affected build
Discovery Timeline
- 2026-02-23 - CVE-2026-1367 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-1367
Vulnerability Analysis
The vulnerability resides in the search report functionality of ManageEngine ADSelfService Plus. The application fails to properly neutralize user-supplied input before incorporating it into backend SQL queries. An authenticated user invoking the search report option can supply crafted parameters that alter query semantics. The flaw maps to [CWE-89] SQL Injection and is network-reachable through the standard web interface.
Exploitation yields high confidentiality and integrity impact against the database backing the identity service. Availability impact is rated low, indicating that database disruption is possible but not the primary outcome. The EPSS probability of 0.367% reflects limited observed exploitation activity at the time of analysis.
Root Cause
The root cause is improper input sanitization within the parameter handling logic of the search report module. User-controlled values are concatenated into SQL statements rather than bound as parameterized inputs. This allows query structure modification through metacharacters such as single quotes, comment sequences, and UNION operators.
Attack Vector
The attack requires network access to the ADSelfService Plus web console and valid low-privilege credentials. An authenticated session is the only authorization barrier. No user interaction beyond the attacker's own actions is required. The attacker submits malicious payloads through the search report request parameters, and the server executes the resulting injected SQL against the backend database.
For technical specifics, review the ManageEngine Security Advisory.
Detection Methods for CVE-2026-1367
Indicators of Compromise
- Unusual SQL syntax characters (single quotes, double dashes, UNION SELECT, OR 1=1) in HTTP request logs targeting the search report endpoint
- Authenticated sessions issuing high volumes of search report requests with varying parameter structures
- Database query errors or timeouts logged by ADSelfService Plus coinciding with search report activity
- Unexpected outbound queries against system tables such as information_schema or vendor metadata tables
Detection Strategies
- Inspect ADSelfService Plus application logs for malformed search report parameters and database exception traces
- Deploy web application firewall rules that match SQL injection signatures targeting the search report URI
- Correlate authenticated user activity with anomalous query volume or response size deviations
- Hunt for low-privilege accounts accessing reporting features they do not normally use
Monitoring Recommendations
- Enable verbose audit logging on ADSelfService Plus and forward events to a centralized log platform
- Monitor database server logs for queries originating from the application service account that reference unexpected tables
- Alert on authentication anomalies that precede reporting feature usage, such as logins from new geolocations
How to Mitigate CVE-2026-1367
Immediate Actions Required
- Upgrade ManageEngine ADSelfService Plus to the fixed build released by Zohocorp above version 6522
- Restrict network access to the ADSelfService Plus console to trusted administrative networks
- Audit all user accounts for unnecessary privileges and disable inactive accounts
- Rotate service account credentials and reset any potentially exposed administrator passwords
Patch Information
Zohocorp has released a fixed build of ADSelfService Plus that addresses the SQL injection in the search report option. Refer to the ManageEngine Security Advisory for the specific patched build number and upgrade instructions.
Workarounds
- Disable or restrict access to the search report feature for non-administrative users until the patch is applied
- Place a web application firewall in front of the ADSelfService Plus console with SQL injection inspection enabled
- Enforce multi-factor authentication on all ADSelfService Plus accounts to raise the cost of credential-based access
- Limit the database service account permissions to the minimum required, blocking access to system catalogs where feasible
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
