CVE-2024-36485
📋 TL;DR
This SQL injection vulnerability in ManageEngine ADAudit Plus allows attackers to execute arbitrary SQL commands through the Technician reports option. Organizations using affected versions are at risk of data theft, modification, or deletion. The vulnerability requires authentication but can be exploited by any user with Technician role access.
💻 Affected Systems
- ManageEngine ADAudit Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the database including extraction of sensitive Active Directory audit data, credential theft, privilege escalation to domain admin, and potential lateral movement across the network.
Likely Case
Unauthorized access to audit logs, sensitive directory information, and potential data manipulation or deletion of audit records.
If Mitigated
Limited impact if proper network segmentation, database permissions, and input validation controls are in place, though some data exposure may still occur.
🎯 Exploit Status
SQL injection vulnerabilities are typically easy to exploit with basic tools. Requires authenticated access with Technician role.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8121
Vendor Advisory: https://www.manageengine.com/products/active-directory-audit/cve-2024-36485.html
Restart Required: Yes
Instructions:
1. Download ADAudit Plus build 8121 or later from ManageEngine website. 2. Backup current installation. 3. Run the installer to upgrade. 4. Restart the ADAudit Plus service.
🔧 Temporary Workarounds
Restrict Technician Role Access
allTemporarily remove Technician role from non-essential users until patching can be completed.
Network Segmentation
allIsolate ADAudit Plus server from critical systems and restrict database access.
🧯 If You Can't Patch
- Implement strict input validation at web application firewall level
- Monitor and alert on unusual SQL queries or database access patterns
🔍 How to Verify
Check if Vulnerable:
Check ADAudit Plus version in web interface under Help > About or via installation directory properties.Check Version:
On Windows: Check Program Files\ManageEngine\ADAudit Plus\bin\version.txt. On Linux: Check /opt/ManageEngine/ADAudit Plus/bin/version.txtVerify Fix Applied:
Confirm version is 8121 or higher and test Technician reports functionality for SQL injection attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed Technician report generation attempts
- Suspicious user activity from Technician accounts
Network Indicators:
- Unusual database connection patterns
- SQL error messages in HTTP responses
SIEM Query:
source="ad_audit_logs" AND (event_type="report_generation" AND (query="%' OR '%'='%" OR query="%' UNION SELECT%"))