Login Sign Up

CVE-2024-49574

8.3 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in ManageEngine ADAudit Plus allows attackers to execute arbitrary SQL commands through the reports module. Organizations using ADAudit Plus versions below 8123 are affected, potentially exposing sensitive Active Directory audit data.

💻 Affected Systems

Products:
  • ManageEngine ADAudit Plus
Versions: All versions below 8123
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the reports module specifically; requires access to the web interface.

📦 What is this software?

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

Manageengine Adaudit Plus by Zohocorp

View all CVEs affecting Manageengine Adaudit Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data exfiltration, privilege escalation, and potential lateral movement within the network.

🟠

Likely Case

Unauthorized access to sensitive audit logs, user data extraction, and potential system compromise.

🟢

If Mitigated

Limited impact with proper input validation and database permissions in place.

🌐 Internet-Facing: HIGH if ADAudit Plus web interface is exposed to the internet, as SQL injection can be exploited remotely.
🏢 Internal Only: HIGH as authenticated users or attackers who gain internal access can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

SQL injection vulnerabilities are typically easy to exploit with basic web testing tools; authentication status may affect exploitability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8123

Vendor Advisory: https://www.manageengine.com/products/active-directory-audit/cve-2024-49574.html

Restart Required: Yes

Instructions:

1. Download ADAudit Plus build 8123 or later from ManageEngine website. 2. Backup current installation. 3. Run the installer to upgrade. 4. Restart the ADAudit Plus service.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement strict input validation for all report module parameters to reject SQL injection attempts.

Web Application Firewall

all

Deploy WAF with SQL injection rules to block malicious requests.

🧯 If You Can't Patch

  • Restrict network access to ADAudit Plus web interface to trusted IPs only.
  • Implement database-level controls: use least privilege accounts, enable SQL injection protection features.

🔍 How to Verify

Check if Vulnerable:

Check ADAudit Plus version in web interface under Help > About or via installation directory.

Check Version:

On Windows: Check 'Program Files\ManageEngine\ADAudit Plus\conf\version.txt'. On Linux: Check '/opt/ManageEngine/ADAudit Plus/conf/version.txt'.

Verify Fix Applied:

Confirm version is 8123 or higher after patching and test report functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts followed by report module access
  • Suspicious parameter values in web server logs

Network Indicators:

  • HTTP requests with SQL keywords in parameters to /api/reports endpoints
  • Unusual database connection patterns from ADAudit Plus server

SIEM Query:

source="ad_audit_logs" AND (url="*reports*" AND (param="*' OR *" OR param="*;--*"))

📊 Metadata

CVE ID: CVE-2024-49574
CVSS v3 Score: 8.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CWE: CWE-89
Published: November 18, 2024
Last Updated: November 20, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-49574, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)