Zoho ManageEngine ADManager Plus: Attackers can inject SQL commands

There is a security vulnerability in ManageEngine ADManager Plus that allows attackers unauthorized access. They can inject arbitrary SQL queries. A software update is available to patch the vulnerability.

In the CVE entry CVE-2024-48878 on the ManageEngine vulnerability published today, Monday, the developers classify the vulnerability as high risk with a CVSS score of 8.3. The responsible SQL injection vulnerability can be found in the Archived Audit Report from Admanager Plus. "This vulnerability may allow authenticated attackers to execute their own queries and gain unauthorized access to database table entries through the vulnerable query," the ManageEngine developers explain in a security advisory.

Updated software available

The security-related bug affects ManageEngine ADManager Plus version 7241 and older versions. Build number 7250 is intended to iron out the bug, explain the authors of the security release. According to the release notes, version 7250 was released together with 7251 at the beginning of October. However, they do not mention any security-relevant changes in the new versions.

Admins can download the service pack or a newer version from the ADManager Plus service pack page. As the manufacturer classifies the vulnerability as high-risk, IT managers should apply the update quickly in order to minimize the attack surface for malicious actors.

At the beginning of the year, Zoho warned of a critical vulnerability in ManageEngine ADSelfService Plus. Attackers from the network were able to infiltrate and execute code. In the past, IT security researchers had published proof-of-concept exploit code for vulnerabilities in several ManageEngine products, which made their misuse by cybercriminals much more likely. Cybercriminals often include such proof-of-concepts in their "toolbox" in an attempt to gain access to networks.

(dmk)