CVE-2024-5487
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary SQL commands through the attack surface analyzer's export option in ManageEngine ADAudit Plus. Attackers could potentially access, modify, or delete sensitive Active Directory audit data. Organizations running vulnerable versions of ADAudit Plus are affected.
💻 Affected Systems
- ManageEngine ADAudit Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the ADAudit Plus database, allowing attackers to exfiltrate sensitive Active Directory audit data, modify audit logs to cover tracks, or execute arbitrary commands on the underlying database server.
Likely Case
Unauthorized access to sensitive audit data, potentially exposing user activities, security events, and compliance information stored in the ADAudit Plus database.
If Mitigated
Limited impact if proper network segmentation, database permissions, and authentication controls are in place, though some data exposure may still occur.
🎯 Exploit Status
Exploitation requires authenticated access to the ADAudit Plus web interface. SQL injection vulnerabilities are typically easy to exploit once identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8110
Vendor Advisory: https://www.manageengine.com/products/active-directory-audit/cve-2024-5487.html
Restart Required: Yes
Instructions:
1. Download ADAudit Plus version 8110 or later from the ManageEngine website. 2. Backup your current installation and database. 3. Run the installer to upgrade to version 8110 or later. 4. Restart the ADAudit Plus service.
🔧 Temporary Workarounds
Disable Attack Surface Analyzer Export
allTemporarily disable the vulnerable export functionality in the attack surface analyzer module
Restrict Access to ADAudit Plus Interface
allImplement network access controls to limit which users can access the ADAudit Plus web interface
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ADAudit Plus from other critical systems
- Enforce strong authentication and authorization controls, limiting access to only necessary administrative users
🔍 How to Verify
Check if Vulnerable:
Check the ADAudit Plus version in the web interface under Help > About or run the version check commandCheck Version:
On Windows: Check Services.msc for ADAudit Plus version. On Linux: Check /opt/ManageEngine/ADAudit Plus/conf/version.txtVerify Fix Applied:
Verify the installed version is 8110 or higher and test the attack surface analyzer export functionality📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed export attempts
- Unexpected database connections from ADAudit Plus application
Network Indicators:
- Unusual database traffic patterns from ADAudit Plus server
- Large data exports through the web interface
SIEM Query:
source="ADAudit Plus" AND (event="Export" OR event="SQL" OR event="Database") AND status="Failed"