CVE-2024-36518
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary SQL commands through the attack surface analyzer's dashboard in ManageEngine ADAudit Plus. Attackers could potentially read, modify, or delete database contents. Organizations running vulnerable versions of ADAudit Plus are affected.
💻 Affected Systems
- ManageEngine ADAudit Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, privilege escalation, or system takeover via SQL injection to RCE chaining.
Likely Case
Unauthorized data access, sensitive information disclosure, and potential lateral movement within the database.
If Mitigated
Limited impact due to network segmentation, proper authentication controls, and database permission restrictions.
🎯 Exploit Status
Exploitation requires valid user credentials but SQL injection is typically straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8110
Vendor Advisory: https://www.manageengine.com/products/active-directory-audit/cve-2024-36518.html
Restart Required: Yes
Instructions:
1. Download ADAudit Plus version 8110 or later from ManageEngine website
2. Backup current installation and database
3. Run the installer/upgrade package
4. Restart the ADAudit Plus service
🔧 Temporary Workarounds
Restrict Dashboard Access
allLimit access to the attack surface analyzer dashboard to only necessary administrative users.
Network Segmentation
allIsolate ADAudit Plus server from critical systems and implement strict firewall rules.
🧯 If You Can't Patch
- Implement strict access controls and multi-factor authentication for all ADAudit Plus users
- Deploy web application firewall with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check ADAudit Plus version in web interface under Help > About or via installed directory version files.Check Version:
On Windows: Check 'C:\Program Files\ManageEngine\ADAudit Plus\conf\version.info' or similar. On Linux: Check '/opt/ManageEngine/ADAudit Plus/conf/version.info'Verify Fix Applied:
Confirm version is 8110 or higher in the About section and test dashboard functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by dashboard access
- Suspicious user activity in ADAudit Plus audit logs
Network Indicators:
- Unusual database connection patterns from ADAudit Plus server
- SQL error messages in HTTP responses
SIEM Query:
source="ad_audit_logs" AND (event="dashboard_access" AND user!="admin") OR (message="*sql*" OR message="*injection*")