CVE-2024-5586
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary SQL commands through the extranet lockouts report feature in ManageEngine ADAudit Plus. Attackers could potentially read, modify, or delete database information. Organizations using affected versions of ADAudit Plus are at risk.
💻 Affected Systems
- ManageEngine ADAudit Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, privilege escalation, or system takeover via SQL injection to execute arbitrary commands.
Likely Case
Unauthorized access to sensitive Active Directory audit data, user information, or configuration details stored in the database.
If Mitigated
Limited impact with proper network segmentation, database permissions, and monitoring in place to detect and block SQL injection attempts.
🎯 Exploit Status
Exploitation requires valid user credentials to access the vulnerable feature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8121
Vendor Advisory: https://www.manageengine.com/products/active-directory-audit/cve-2024-5586.html
Restart Required: Yes
Instructions:
1. Download ADAudit Plus version 8121 or later from ManageEngine website. 2. Backup current installation and database. 3. Run the installer to upgrade. 4. Restart the ADAudit Plus service.
🔧 Temporary Workarounds
Disable Extranet Lockouts Report
allTemporarily disable the vulnerable report feature until patching can be completed.
Restrict Access to Web Interface
allLimit network access to ADAudit Plus web interface to trusted IP addresses only.
🧯 If You Can't Patch
- Implement web application firewall (WAF) with SQL injection protection rules
- Enforce principle of least privilege for database accounts used by ADAudit Plus
🔍 How to Verify
Check if Vulnerable:
Check ADAudit Plus version in web interface under Help > About or via installation directory.Check Version:
On Windows: Check 'Program Files\ManageEngine\ADAudit Plus\conf\version.txt' or web interface. On Linux: Check '/opt/ManageEngine/ADAudit Plus/conf/version.txt' or web interface.Verify Fix Applied:
Confirm version is 8121 or higher and test extranet lockouts report functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by report access
- Unexpected database schema changes
Network Indicators:
- SQL injection patterns in HTTP requests to /api/extranetLockoutsReport
- Unusual database connections from ADAudit Plus server
SIEM Query:
source="ad_audit_logs" AND (url="*extranetLockoutsReport*" AND (query="*SELECT*" OR query="*UNION*" OR query="*INSERT*" OR query="*DELETE*"))