CVE-2023-29084
📋 TL;DR
This vulnerability allows authenticated users in Zoho ManageEngine ADManager Plus to execute arbitrary commands through proxy settings. Attackers with valid credentials can inject malicious commands that get executed on the underlying system. Organizations using vulnerable versions of ADManager Plus are affected.
💻 Affected Systems
- Zoho ManageEngine ADManager Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise leading to domain takeover, data exfiltration, ransomware deployment, and lateral movement across the network.
Likely Case
Privilege escalation to SYSTEM/NT AUTHORITY, credential harvesting, installation of backdoors, and persistence mechanisms.
If Mitigated
Limited to authenticated user privileges, potentially allowing command execution but constrained by existing security controls.
🎯 Exploit Status
Exploit requires authenticated access but is straightforward to execute. Public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7181 and later
Vendor Advisory: https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-29084.html
Restart Required: Yes
Instructions:
1. Download ADManager Plus build 7181 or later from ManageEngine website. 2. Stop ADManager Plus service. 3. Run the installer/upgrade package. 4. Restart the service. 5. Verify version is 7181+.
🔧 Temporary Workarounds
Restrict Proxy Settings Access
allRemove or restrict access to proxy configuration functionality for non-admin users
Network Segmentation
allIsolate ADManager Plus server from critical systems and implement strict firewall rules
🧯 If You Can't Patch
- Implement strict access controls limiting who can authenticate to ADManager Plus
- Deploy application-level firewall (WAF) with command injection detection rules
🔍 How to Verify
Check if Vulnerable:
Check ADManager Plus version via web interface (Admin → About) or installation directoryCheck Version:
On Windows: Check 'C:\Program Files\ManageEngine\ADManager Plus\conf\version.txt' or web interfaceVerify Fix Applied:
Confirm version is 7181 or higher and test proxy settings functionality with safe input📡 Detection & Monitoring
Log Indicators:
- Unusual proxy configuration changes
- Command execution patterns in application logs
- Multiple failed authentication attempts followed by proxy settings access
Network Indicators:
- Outbound connections from ADManager Plus server to unexpected destinations
- Unusual HTTP requests to proxy configuration endpoints
SIEM Query:
source="ADManagerPlus" AND (event_description="proxy" OR event_description="command") AND (cmd.exe OR powershell.exe OR wmic.exe)🔗 References
- http://packetstormsecurity.com/files/172755/ManageEngine-ADManager-Plus-Command-Injection.html
- https://manageengine.com
- https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-29084.html
- http://packetstormsecurity.com/files/172755/ManageEngine-ADManager-Plus-Command-Injection.html
- https://manageengine.com
- https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-29084.html
