CVE-2022-36413
📋 TL;DR
This vulnerability in Zoho ManageEngine ADSelfService Plus allows attackers to perform brute-force attacks against password reset functionality for IDM applications. Successful exploitation could lead to unauthorized password resets and account takeover. Organizations using ADSelfService Plus versions through 6203 are affected.
💻 Affected Systems
- Zoho ManageEngine ADSelfService Plus
📦 What is this software?
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
⚠️ Risk & Real-World Impact
Worst Case
Attackers could reset passwords for privileged accounts, gain domain administrator access, and completely compromise the Active Directory environment.
Likely Case
Attackers reset passwords for standard user accounts, gaining unauthorized access to corporate resources and potentially escalating privileges.
If Mitigated
With proper rate limiting and monitoring, attacks would be detected and blocked before successful exploitation.
🎯 Exploit Status
The vulnerability is straightforward to exploit using automated tools for brute-force attacks against the password reset endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6204 and later
Vendor Advisory: https://www.manageengine.com/products/self-service-password/advisory/CVE-2022-36413.html
Restart Required: Yes
Instructions:
1. Download ADSelfService Plus version 6204 or later from the ManageEngine website. 2. Stop the ADSelfService Plus service. 3. Install the update. 4. Restart the service.
🔧 Temporary Workarounds
Implement Rate Limiting
allConfigure web application firewall or load balancer to limit requests to password reset endpoints
Disable IDM Integration
allTemporarily disable IDM application integration if not required
🧯 If You Can't Patch
- Implement network segmentation to restrict access to ADSelfService Plus servers
- Enable detailed logging and monitoring for brute-force attempts on password reset endpoints
🔍 How to Verify
Check if Vulnerable:
Check the ADSelfService Plus version in the web interface or installation directory. Versions 6203 and earlier are vulnerable.Check Version:
Check the version in the web interface at https://<server>:<port>/ or examine the build.txt file in the installation directory.Verify Fix Applied:
Verify the version is 6204 or later and test password reset functionality with rate limiting.📡 Detection & Monitoring
Log Indicators:
- Multiple failed password reset attempts from single IP
- Unusual patterns of password reset requests
- Successful password resets for multiple accounts in short timeframe
Network Indicators:
- High volume of POST requests to /RestAPI/LogonCustomization/ResetPassword endpoint
- Traffic patterns indicating automated brute-force tools
SIEM Query:
source="ADSelfService Plus" AND (event_type="password_reset" AND count > 10 within 5 minutes)