Unauthorized RCE CVE-2022-28219 in Zoho ManageEngine ADAudit Plus

Sicherheit (Pexels, allgemeine Nutzung)[German]Security researcher Naveen Sunkavally of Horizon3.ai recently discovered vulnerability CVE-2022-28219. This allows remote code execution without further authentication by the attacker and affects Zoho ManageEngine ADAudit Plus. This is a compliance tool used by enterprises to monitor changes to Active Directory. The vulnerability involves several issues: untrusted Java deserialization, path traversal and a blind XML External Entities (XXE) injection. The vulnerabilities have since been fixed.


I came across the issue via the following tweet, which is described in detail in the June 29, 2022 article CVE-2022-28219: Unauthenticated XXE to RCE and Domain Compromise in ManageEngine ADAudit Plus.

CVE-2022-28219 in Zoho  ADAudit Plus

Security researchers regularly examine ManageEngine products in internal pentests. The products related to Active Directory management (ADManager Plus, ADSelfService Plus, ADAudit Plus, etc.) are also attractive to attackers because they have privileged access to Active Directory. That's why security researchers took a closer look at Zoho's ADAudit Plus application. In the process, they came across several vulnerabilities.

One potential remote code execution vulnerability was in an /cewolf endpoint handled by the CewolfRenderer servlet in the third-party Cewolf graph library. This is the same vulnerable endpoint from CVE-2020-10189 reported by @steventseeley against ManageEngine Desktop Central. The FileStorage class in this library was abused for remote code execution via untrusted Java deserialization.

Then, security researchers looked for an opportunity for an XML external entity (XXE) attack that loaded a JAVA payload. The researchers found several ways for unauthenticated users to upload files, but initially had difficulty uploading any file with a Java payload because of security filters and file type checks. One of the features of ADAudit Plus is the ability to collect security events from agents running on other machines in the domain. Surprisingly the researcher found that some of the endpoints agents were using to upload events to ADAudit Plus were not authenticated. This provided a large attack surface that could eventually be exploited for remote code execution.


Finally, security researchers were able to exploit the XXE vulnerability in a proof of concept (PoC) for a remote code execution (RCE) attack. The vulnerability was reported to Zoho through the Bug Bounty program on March 28, 2022. The vendor confirmed the vulnerabilities and closed them with a patch in ADAudit Plus 7060, followed by a detailed disclosure by security researchers on June 29, 2022. Details can be read in the linked article.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.