Login Sign Up

CVE-2022-24978

8.8 HIGH

📋 TL;DR

This vulnerability in Zoho ManageEngine ADAudit Plus allows authenticated users to escalate privileges on integrated products by extracting passwords from JSON responses. It affects organizations using ManageEngine ADAudit Plus for Active Directory auditing and management.

💻 Affected Systems

Products:
  • Zoho ManageEngine ADAudit Plus
Versions: All versions before 7055
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all deployments with integrated ManageEngine products. Requires authenticated access.

📦 What is this software?

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with authenticated access can gain administrative privileges across integrated ManageEngine products, potentially compromising Active Directory environments and sensitive audit data.

🟠

Likely Case

Malicious insiders or attackers who have obtained valid credentials can escalate privileges to access restricted functionality and sensitive information.

🟢

If Mitigated

With proper network segmentation and least privilege access, impact is limited to the specific ADAudit Plus instance and integrated products.

🌐 Internet-Facing: HIGH if ADAudit Plus is exposed to the internet, as authenticated attackers could exploit this remotely.
🏢 Internal Only: HIGH as authenticated internal users or compromised accounts can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7055 and later

Vendor Advisory: https://pitstop.manageengine.com/portal/en/community/topic/cve-2022-24978-privilege-escalation-vulnerability-manageengine-adaudit-plus

Restart Required: Yes

Instructions:

1. Download ManageEngine ADAudit Plus version 7055 or later from the official website. 2. Backup current configuration and data. 3. Run the installer to upgrade. 4. Restart the ADAudit Plus service.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to ADAudit Plus management interface to authorized users only.

Access Control

all

Implement strict authentication controls and monitor for unusual privilege escalation attempts.

🧯 If You Can't Patch

  • Implement network segmentation to isolate ADAudit Plus from critical systems
  • Enforce strict access controls and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check the ADAudit Plus version in the web interface under Help > About. If version is below 7055, the system is vulnerable.

Check Version:

Check web interface at https://[server]:[port]/api/version or via Help > About in GUI

Verify Fix Applied:

After patching, verify version is 7055 or higher and test that password fields are no longer exposed in JSON responses.

📡 Detection & Monitoring

Log Indicators:

  • Unusual privilege escalation attempts
  • Multiple failed authentication attempts followed by successful login
  • Access to sensitive API endpoints

Network Indicators:

  • Unusual API calls to ADAudit Plus endpoints
  • Traffic patterns indicating privilege escalation attempts

SIEM Query:

source="adaudit_plus" AND (event_type="privilege_escalation" OR api_endpoint="*/password*" OR status="success" AND user_role_changed="true")

📊 Metadata

CVE ID: CVE-2022-24978
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-319
Published: April 5, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24978, you might also want to check these:

CVE-2023-33730 9.8

CVE-2023-33730 is a critical privilege escalation vulnerability in Microworld Technologies eScan Man...

Same vulnerability type (CWE-319)
CVE-2022-21829 9.8

This vulnerability in Concrete CMS allows authenticated high-privilege users to download zip files o...

Same vulnerability type (CWE-319)
CVE-2020-5426 9.8

CVE-2020-5426 allows attackers to intercept UAA client tokens transmitted in plaintext over non-TLS ...

Same vulnerability type (CWE-319)