CVE-2024-36514
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary SQL commands through the file summary option in ManageEngine ADAudit Plus. Attackers could potentially read, modify, or delete database contents. Organizations running ADAudit Plus versions below 8000 are affected.
💻 Affected Systems
- ManageEngine ADAudit Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, privilege escalation, or system takeover via SQL injection to execute arbitrary commands.
Likely Case
Unauthorized data access and potential privilege escalation within the ADAudit Plus application database.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and monitoring of database queries.
🎯 Exploit Status
Exploitation requires authenticated access but SQL injection vulnerabilities are typically easy to exploit once identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8000 and above
Vendor Advisory: https://www.manageengine.com/products/active-directory-audit/cve-2024-36514.html
Restart Required: Yes
Instructions:
1. Download ADAudit Plus version 8000 or later from ManageEngine website. 2. Backup current installation and database. 3. Run the installer to upgrade. 4. Restart the ADAudit Plus service.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to ADAudit Plus web interface to only trusted administrative networks
Authentication Hardening
allImplement strong authentication policies including MFA and limit administrative accounts
🧯 If You Can't Patch
- Implement web application firewall (WAF) with SQL injection protection rules
- Monitor and audit all database queries from ADAudit Plus application
🔍 How to Verify
Check if Vulnerable:
Check ADAudit Plus version in web interface under Help > About or via installed program detailsCheck Version:
On Windows: Check installed programs list. On Linux: Check installation directory version files.Verify Fix Applied:
Verify version is 8000 or higher and test file summary functionality with SQL injection test payloads📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed authentication attempts followed by file summary access
- Unexpected database schema changes
Network Indicators:
- SQL injection patterns in HTTP requests to /api/fileSummary endpoints
- Unusual database connection patterns from ADAudit Plus server
SIEM Query:
source="ad_audit_logs" AND (url="*fileSummary*" AND (query="*SELECT*" OR query="*UNION*" OR query="*INSERT*" OR query="*DELETE*"))