CVE-2024-0252
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary code on ManageEngine ADSelfService Plus servers due to improper input handling in the load balancer component. Organizations using ADSelfService Plus versions 6401 and below are affected. Attackers must have valid credentials to exploit this vulnerability.
💻 Affected Systems
- ManageEngine ADSelfService Plus
📦 What is this software?
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary code, steal credentials, deploy ransomware, or pivot to other network resources.
Likely Case
Privilege escalation leading to domain admin compromise, credential harvesting, and lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are in place to contain the breach.
🎯 Exploit Status
Exploitation requires authentication but the vulnerability is in a core component, making reliable exploitation likely once details are known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6402 and above
Vendor Advisory: https://www.manageengine.com/products/self-service-password/advisory/CVE-2024-0252.html
Restart Required: Yes
Instructions:
1. Download ADSelfService Plus version 6402 or later from ManageEngine website. 2. Stop the ADSelfService Plus service. 3. Install the update. 4. Restart the service.
🔧 Temporary Workarounds
Disable Load Balancer Component
allTemporarily disable the vulnerable load balancer component if not required for operations.
Navigate to ADSelfService Plus admin console > Configuration > Load Balancer > Disable
Restrict Network Access
allLimit access to ADSelfService Plus to only trusted IP addresses using firewall rules.
Windows: netsh advfirewall firewall add rule name="Block ADSSP" dir=in action=block remoteip=any localport=8888 protocol=TCP
Linux: iptables -A INPUT -p tcp --dport 8888 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ADSelfService Plus servers from critical assets.
- Enforce multi-factor authentication and strong password policies to reduce credential compromise risk.
🔍 How to Verify
Check if Vulnerable:
Check ADSelfService Plus version in admin console under Help > About. If version is 6401 or below, system is vulnerable.Check Version:
Windows: Check installation directory for version.txt or use 'sc query ADSelfService Plus'. Linux: Check /opt/ManageEngine/ADSelfService Plus/version.txtVerify Fix Applied:
After patching, verify version shows 6402 or higher in Help > About. Test load balancer functionality if enabled.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from ADSelfService Plus service
- Suspicious authentication attempts followed by load balancer component activity
- Error logs related to load balancer parsing failures
Network Indicators:
- Unusual outbound connections from ADSelfService Plus server
- Traffic spikes on load balancer ports (typically 8888)
SIEM Query:
source="ADSelfService Plus" AND (event_id="4688" OR process_name="cmd.exe" OR process_name="powershell.exe")