CVE-2022-28219 Detection: Critical RCE Vulnerability in Zoho ManageEngine ADAudit Plus

Zoho’s ManageEngine operates cost-effective network management frameworks leveraged by over 40,000 enterprises worldwide. Due to the software popularity and its wide use across the globe, cyber threats detected in Zoho’s products could have a severe impact on thousands of compromised businesses, which earlier happened with the critical zero-day vulnerability in ManageEngine Desktop Central products. 

On June 30, 2022 cybersecurity researchers unveiled a remote code execution (RCE) vulnerability affecting ManageEngine ADAudit Plus, Zoho’s compliance tool leveraged by enterprise organizations to keep track of the changes in the Active Directory (AD) environment. This critical vulnerability tracked as CVE-2022-28219 allows attackers to gain privileged access to AD credentials and exfiltrate sensitive data. 

Detect CVE-2022-28219 Vulnerability

To help organizations minimize the risks caused by the CVE-2022-28219 exploitation attempts, SOC Prime team has recently released a set of dedicated Sigma rules that can be instantly reached using the appropriate tag #CVE-2022-28219:

Sigma rules to detect exploitation attempts of CVE-2022-28219

To access the above-mentioned content for proactive detection of CVE-2022-28219 vulnerability exploitation, make sure to sign up or log into SOC Prime’s platform. 

The Suspicious Windows Paths in Web Request (via web) Sigma rule allows detecting adversary attempts to trigger untrusted Java deserialization and command execution using a web request, which contains an operation system path.

Another detection from the list above, Possible Vulnerable ADAudit Endpoint Exploitation CVE-2022-28219 (via web), detects vulnerable ADAudit endpoint exploitation patterns related to CVE-2022-28219.

Both Sigma rules can be instantly converted to the industry-leading SIEM, EDR, and XDR solutions and adjusted to custom data schemas for scalable content deployments. For increased threat visibility, the dedicated Sigma rules are aligned with the MITRE ATT&CK® framework addressing the Initial Access tactic with Exploit Public-Facing Application (T1190) as its primary technique.

Threat Hunters, Cyber Threat Intelligence specialists, and other InfoSec practitioners can also apply the above-mentioned Sigma rules to instantly search for threats associated with CVE-2022-28219 using SOC Prime’s Quick Hunt module.

SOC Prime’s Detection as Code platform curates a broad collection of detection algorithms to proactively defend against cyber threats impacting Zoho’s ManageEngine products. Click the Detect & Hunt button below to reach the comprehensive list of dedicated detection rules and hunting queries. Alternatively, cybersecurity experts can browse SOC Prime to take a deeper dive into contextual information related to CVE-2022-28219, explore MITRE ATT&CK references, CVE descriptions, relevant CTI links, and more — all in a single place and without registration.

Detect & Hunt Explore Threat Context

ManageEngine ADAudit Plus Flaw Analysis & Mitigation

The inquiry by Horizon3.ai details the unauthenticated RCE vulnerability affecting the Zoho ManageEngine ADAudit Plus compliance tool. The researchers note that this critical flaw derives from a set of security gaps, including untrusted Java deserialization, path traversal, and a blind XML External Entities (XXE) injection. In case exploited, the bug enables adversaries to execute code remotely on vulnerable instances and, in some cases, compromise domain admin accounts. 

The proof-of-concept exploit is publicly available via GitHub. The nature of the bug and potential effect make it a point of high interest for ransomware operators and initial access brokers.   

Researchers urge all enterprise users of ADAudit Plus to upgrade their instances to the build 7060 in order to prevent attacks against the infrastructure. 

To strengthen your organization’s cybersecurity posture, access the world’s largest collection of Sigma rules compatible with 25+ SIEM, XDR & EDR platforms via SOC Prime’s Detection as Code platform. Eager to help the global cybersecurity community withstand the emerging threats while polishing your Threat Hunting and Detection Engineering skills? Join our Threat Bounty Program, get your own Sigma rules published to SOC Prime’s platform, and receive recurrent payouts for your contribution!