CVE-2024-24409
📋 TL;DR
This vulnerability allows authenticated users with limited permissions in ManageEngine ADManager Plus to escalate privileges through the Modify Computers option. Attackers could gain administrative control over Active Directory management functions. Organizations using ADManager Plus versions 7203 and prior are affected.
💻 Affected Systems
- ManageEngine ADManager Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Active Directory management capabilities, allowing attackers to create/modify/delete AD objects, grant administrative privileges, and potentially pivot to domain controller compromise.
Likely Case
Unauthorized privilege escalation leading to unauthorized AD object modifications, user account manipulation, and potential data exfiltration.
If Mitigated
Limited impact if proper access controls, network segmentation, and monitoring are in place to detect unusual privilege escalation attempts.
🎯 Exploit Status
Exploitation requires authenticated access but appears to be straightforward based on the CWE-269 (Improper Privilege Management) classification and CVSS score.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7204 and later
Vendor Advisory: https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2024-24409.html
Restart Required: Yes
Instructions:
1. Download ADManager Plus build 7204 or later from ManageEngine website. 2. Stop ADManager Plus service. 3. Install the update. 4. Restart the service. 5. Verify the version is 7204 or higher.
🔧 Temporary Workarounds
Restrict Access to Modify Computers Function
allTemporarily restrict or disable access to the Modify Computers option for non-administrative users
Network Segmentation
allIsolate ADManager Plus server from general network access and restrict to authorized administrative workstations only
🧯 If You Can't Patch
- Implement strict access controls and monitor all privilege escalation attempts
- Deploy additional authentication factors and session monitoring for ADManager Plus access
🔍 How to Verify
Check if Vulnerable:
Check ADManager Plus version in web interface under Help > About or in installation directory propertiesCheck Version:
Check web interface or examine %PROGRAMFILES%\ManageEngine\ADManager Plus\conf\version.txt on WindowsVerify Fix Applied:
Verify version is 7204 or higher and test that non-admin users cannot perform unauthorized privilege escalation through Modify Computers📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation attempts in ADManager Plus logs
- Multiple failed then successful Modify Computers operations by non-admin users
- Unexpected AD object modifications
Network Indicators:
- Unusual traffic patterns to ADManager Plus from non-admin workstations
- Multiple authentication attempts followed by Modify Computers API calls
SIEM Query:
source="ADManagerPlus" AND (event_type="privilege_escalation" OR operation="Modify Computers") AND user_role!="admin"