CVE-2026-1367
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary SQL commands through the search report option in ManageEngine ADSelfService Plus. Attackers could potentially access, modify, or delete sensitive Active Directory data. Organizations using ADSelfService Plus versions 6522 and below are affected.
💻 Affected Systems
- Zohocorp ManageEngine ADSelfService Plus
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete Active Directory compromise leading to domain takeover, credential theft, and lateral movement across the entire network.
Likely Case
Unauthorized access to sensitive user data, password hashes, and Active Directory information that could facilitate further attacks.
If Mitigated
Limited data exposure if proper input validation and database permissions are enforced, though SQL injection remains possible.
🎯 Exploit Status
SQL injection vulnerabilities are frequently weaponized. Requires authenticated access but exploitation is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6523 and above
Vendor Advisory: https://www.manageengine.com/uk/products/self-service-password/advisory/CVE-2026-1367.html
Restart Required: Yes
Instructions:
1. Download the latest version from ManageEngine website. 2. Backup current installation. 3. Stop ADSelfService Plus service. 4. Install the update. 5. Restart the service.
🔧 Temporary Workarounds
Disable Search Report Feature
allTemporarily disable the vulnerable search report functionality until patching can be completed.
Implement Web Application Firewall Rules
allAdd SQL injection detection and blocking rules to WAF or reverse proxy.
🧯 If You Can't Patch
- Restrict network access to ADSelfService Plus to trusted IPs only
- Implement strict monitoring for unusual database queries and access patterns
🔍 How to Verify
Check if Vulnerable:
Check ADSelfService Plus version in web interface or installation directory. Versions 6522 and below are vulnerable.Check Version:
Check web interface at https://[server]:[port]/ or examine installation directory version files.Verify Fix Applied:
Verify version is 6523 or higher after update. Test search report functionality with SQL injection test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in application logs
- Multiple failed authentication attempts followed by search report access
- Database error messages containing SQL syntax
Network Indicators:
- Unusual database connection patterns from ADSelfService Plus server
- Large data transfers from database to application server
SIEM Query:
source="ADSelfService" AND ("sql" OR "database" OR "query") AND (error OR exception OR "syntax")