In March 2022, an unauthenticated remote code execution (RCE) vulnerability was identified affecting the Zoho ManageEngine ADAudit Plus solution, which organizations use to monitor changes in Active Directory. (Reference Link)

The security vulnerability tracked as CVE-2022-28219 is caused by a combination of Untrusted Java Deserialization, Path Traversal, and XEE (XML External Entity) issues. Apart from allowing remote code execution on affected systems, the vulnerability can be exploited in some cases to compromise domain administrator accounts.

Active Directory management-related products (ADManager Plus, ADSelfService Plus, ADAudit Plus) are widely used by institutions/organizations.

These applications create an attractive attack surface for threat actors because of their privileged access to Active Directory. Details of the PoC code and applications for exploiting the vulnerability affecting ADAudit Plus have been published by security researchers.

Applications such as ADAudit Plus that integrate with Active Directory must store credentials to connect to it. ADAudit Plus keeps these credentials encrypted in its database. It is possible to reverse the encryption for clear access to these credentials. If these credentials are compromised, it gives a lot of privilege to the threat actors. ADAudit Plus makes it easy for users to connect to AD with their domain administrator credentials, and users use this easy way instead of creating a special service account with limited privileges. By manipulating this feature, threat actors can completely compromise the AD domain through ADAudit Plus.

In order not to be the target of attacks that can be carried out by exploiting the vulnerability, institutions/organizations using ADAudit Plus are urgently recommended to upgrade to ADAudit Plus 7060 or a later version to fix the security vulnerability.