CVE-2024-5490
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary SQL commands through the aggregate reports feature in ManageEngine ADAudit Plus. Attackers could potentially read, modify, or delete database content. Organizations using ADAudit Plus versions below 8000 are affected.
💻 Affected Systems
- Zohocorp ManageEngine ADAudit Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the ADAudit Plus database, allowing data exfiltration, privilege escalation, and potential lateral movement to connected systems.
Likely Case
Unauthorized access to sensitive audit data, configuration information, and potential credential harvesting from the database.
If Mitigated
Limited impact due to proper input validation, parameterized queries, and database permissions restricting the SQL injection.
🎯 Exploit Status
Exploitation requires authenticated access. SQL injection vulnerabilities are commonly exploited with readily available tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8000 and above
Vendor Advisory: https://www.manageengine.com/products/active-directory-audit/cve-2024-5490.html
Restart Required: Yes
Instructions:
1. Download the latest version (8000 or above) from the ManageEngine website. 2. Backup your current installation. 3. Run the installer to upgrade. 4. Restart the ADAudit Plus service.
🔧 Temporary Workarounds
Disable Aggregate Reports
allTemporarily disable the aggregate reports feature to prevent exploitation.
Network Segmentation
allRestrict access to ADAudit Plus web interface to only trusted administrative networks.
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries at the application layer if source code access is available.
- Apply database-level controls to limit the impact of SQL injection (e.g., least privilege database accounts, stored procedures).
🔍 How to Verify
Check if Vulnerable:
Check the ADAudit Plus version in the web interface under Help > About. If version is below 8000, the system is vulnerable.Check Version:
Not applicable - check via web interface or installation directory version files.Verify Fix Applied:
After upgrading, verify the version is 8000 or above in Help > About. Test the aggregate reports functionality to ensure it works without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by aggregate reports access
- Errors in ADAudit Plus application logs related to SQL parsing
Network Indicators:
- Unusual outbound database connections from ADAudit Plus server
- SQL injection patterns in HTTP requests to /api/aggregatereports endpoints
SIEM Query:
source="ADAudit Plus" AND (url="*aggregatereports*" AND (method="POST" OR method="GET") AND (content="*' OR *" OR content="*;--*" OR content="*UNION*"))