Subscribe via feed.

ManageEngine ADSelfService Plus Custom Script Execution

Posted by deepcore on April 21, 2022 – 10:23 pm

This Metasploit module exploits the “custom script” feature of ADSelfService Plus. The feature was removed in build 6122 as part of the patch for CVE-2022-28810. For purposes of this module, a “custom script” is arbitrary operating system command execution. This module uses an attacker provided “admin” account to insert the malicious payload into the custom script fields. When a user resets their password or unlocks their account, the payload in the custom script will be executed. The payload will be executed as SYSTEM if ADSelfService Plus is installed as a service, which we believe is the normal operational behavior. This is a passive module because user interaction is required to trigger the payload. This module also does not automatically remove the malicious code from the remote target. Use the “TARGET_RESET” operation to remove the malicious custom script when you are done.


This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.