CVE-2024-5608
📋 TL;DR
This SQL injection vulnerability in ManageEngine ADAudit Plus allows attackers to execute arbitrary SQL commands through the technician reports feature. Organizations using versions below 8121 are affected, potentially exposing sensitive Active Directory audit data.
💻 Affected Systems
- ManageEngine ADAudit Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, privilege escalation, and potential lateral movement within the network.
Likely Case
Unauthorized access to sensitive audit logs, user information, and Active Directory configuration data.
If Mitigated
Limited data exposure if proper input validation and database permissions are enforced.
🎯 Exploit Status
SQL injection vulnerabilities are typically easy to exploit with basic web testing tools; authentication is required but could be bypassed if other vulnerabilities exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8121
Vendor Advisory: https://www.manageengine.com/products/active-directory-audit/cve-2024-5608.html
Restart Required: Yes
Instructions:
1. Download the latest version (8121 or higher) from the ManageEngine website. 2. Backup your current installation. 3. Run the installer to upgrade. 4. Restart the ADAudit Plus service.
🔧 Temporary Workarounds
Disable Technician Reports Feature
allTemporarily disable the vulnerable technician reports feature to prevent exploitation.
Navigate to ADAudit Plus web interface > Settings > Reports > Technician Reports > Disable
Implement Web Application Firewall (WAF)
allDeploy a WAF with SQL injection rules to block malicious requests.
🧯 If You Can't Patch
- Restrict network access to the ADAudit Plus web interface to trusted IPs only.
- Implement strict input validation and parameterized queries at the application level if custom development is possible.
🔍 How to Verify
Check if Vulnerable:
Check the ADAudit Plus version in the web interface under Help > About. If version is below 8121, the system is vulnerable.Check Version:
On Windows: Check via web interface. On Linux: Check the installation directory or use 'cat /opt/ManageEngine/ADAudit Plus/version.txt'Verify Fix Applied:
After patching, verify the version is 8121 or higher and test the technician reports feature for SQL injection using safe testing methods.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by technician reports access
- Unexpected database errors in application logs
Network Indicators:
- HTTP requests to technician reports endpoints with SQL syntax in parameters
- Unusual outbound database connections from the ADAudit Plus server
SIEM Query:
source="ADAudit Plus" AND (url="*technician*" AND (param="*' OR *" OR param="*;--*"))