CVE-2023-28342

Q: What is the severity of CVE-2023-28342?

CVE-2023-28342 has a CVSS score of 7.5 (HIGH). This vulnerability in Zoho ManageEngine ADSelfService Plus allows unauthenticated attackers to cause denial-of-service via the Mobile App Authentication API. It affects organizations using ADSelfService Plus for self-service password management and authentication. The attack can disrupt legitimate user access to authentication services.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability in Zoho ManageEngine ADSelfService Plus allows unauthenticated attackers to cause denial-of-service via the Mobile App Authentication API. It affects organizations using ADSelfService Plus for self-service password management and authentication. The attack can disrupt legitimate user access to authentication services.

💻 Affected Systems

Products:

Zoho ManageEngine ADSelfService Plus

Versions: All versions before 6218

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments with Mobile App Authentication enabled (default configuration).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption preventing all users from authenticating via mobile apps, potentially affecting business operations that rely on this authentication method.

🟠

Likely Case

Temporary service degradation or outages affecting mobile authentication capabilities, requiring service restart.

🟢

If Mitigated

Minimal impact with proper network segmentation and rate limiting in place.

🌐 Internet-Facing: HIGH - The Mobile App Authentication API is typically exposed to the internet for legitimate mobile app functionality.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but external threat is higher.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple API request can trigger the DoS condition without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6218 and later

Vendor Advisory: https://www.manageengine.com/products/self-service-password/advisory/CVE-2023-28342.html

Restart Required: Yes

Instructions:

1. Download ADSelfService Plus version 6218 or later from ManageEngine website. 2. Stop the ADSelfService Plus service. 3. Install the update. 4. Restart the service.

🔧 Temporary Workarounds

Disable Mobile App Authentication

all

Temporarily disable the vulnerable Mobile App Authentication API feature

Navigate to Admin > Mobile App Settings > Disable Mobile App Authentication

Implement Rate Limiting

all

Configure web server or WAF to limit requests to the Mobile App Authentication API endpoint

🧯 If You Can't Patch

Implement strict network segmentation to limit access to the ADSelfService Plus server
Deploy a WAF with rate limiting and DoS protection rules for the Mobile App Authentication API endpoint

🔍 How to Verify

Check if Vulnerable:

Check ADSelfService Plus version in Admin Console > About. If version is below 6218, system is vulnerable.

Check Version:

In ADSelfService Plus web interface: Admin > About

Verify Fix Applied:

Verify version is 6218 or higher in Admin Console > About and test Mobile App Authentication functionality.

📡 Detection & Monitoring

Log Indicators:

High volume of requests to /MobileAppAuthenticationAPI endpoint
Service restart events in application logs
Error logs indicating authentication service failures

Network Indicators:

Unusual traffic spikes to Mobile App Authentication API endpoint
Repeated requests from single IP addresses to authentication endpoints

SIEM Query:

source="ADSelfServicePlus" AND (uri_path="/MobileAppAuthenticationAPI" OR message="authentication failure") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2023-28342

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: April 5, 2023

Last Updated: February 13, 2025

🔗 References

https://manageengine.com Product
https://www.manageengine.com/products/self-service-password/advisory/CVE-2023-28342.html Vendor Advisory
https://manageengine.com Product
https://www.manageengine.com/products/self-service-password/advisory/CVE-2023-28342.html Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp

Manageengine Adselfservice Plus by Zohocorp