Critical Vulnerability in Manage Engine ADAudit Plus Allows Remote Code Execution

On June 29, security researchers at Horizon3.ai published a blog about a recently disclosed critical vulnerability in Zoho ManageEngine ADAudit Plus.
 
Manage Engine ADAudit Plus is a compliance tool that monitors Active Directory (AD). ADAudit Plus is a popular tool to gain full visibility into everything that resides in AD, including objects such as users, computers, groups, OUs, GPOs, schema, and sites, along with their attributes.
 
CVEID: CVE-2022-28219
 
Vulnerability Details: ManageEngine ADAudit Plus had vulnerable endpoints that allowed an unauthenticated attacker to exploit XML External Entities (XXE), Java deserialization and path traversal vulnerabilities. The chain could be leveraged to unauthenticated remote code execution.
 
Affected Software Version(s): All ADAudit Plus builds below 7060
 
Impact Analysis:
An unauthenticated attacker would be able to remotely execute an arbitrary code in the ADAudit Plus server. A successful exploitation of this critical vulnerability, CVE-2022-28219, could allow an attacker to take over an entire enterprise network. The effect of this vulnerability flaw will make it very attractive to ransomware groups and initial access brokers.
 
Solution:
This vulnerability impacts all versions of ADAudit Plus builds below 7060. Organizations should ensure they are running the fixed or later version of ADAudit Plus.
Fixed Version(s): Build 7060
Fixed on: 30th March, 2022
 
To help organizations minimize the risks caused by the CVE-2022-28219 exploitation attempts, customers can subscribe for a free trial of Risk Based Vulnerability Management solution from Armoryze.