ManageEngine ADSelfService Plus Vulnerable to Remote Code Execution
CVE-2024-0252

8.8HIGH

Key Information:

Vendor: Manageengine
Status: Adselfservice Plus
Vendor: CVE Published:; 11 January 2024

Summary

ManageEngine ADSelfService Plus versions 6401 and earlier are exposed to a vulnerability that allows remote code execution through improper handling within the load balancer component. Exploiting this vulnerability necessitates user authentication, which adds a layer of complexity but does not eliminate the risk. Attackers who gain authenticated access could potentially leverage this weakness to execute unauthorized commands and compromise system integrity.

Affected Version(s)

ADSelfService Plus Windows 0

References

https://www.manageengine.com/products/self-service-passwo...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 11, 2024
Vulnerability Reserved
Jan 5, 2024