Unauthenticated RCE in password change function
ManageEngine ADSelfService Plus
Krzysztof Andrusiak and Marcin Ogorzelski
In some cases user password change is done using PowerShell script. User credentials inserted into such script are not properly sanitized (improper sanitization of double quoutes), leading to PowerShell script injection and remote code execution.
- Download CVE-2021-28958.py and modify the following values in the script:
URL- ADSSP address
DOMAIN- Active Directory domain configured in ADSSP
CMD- command to be executed on the ADSSP server
- Execute CVE-2021-28958.py script (using Python 3 interpreter).
- Command defined in
CMDvariable will be executed on ADSSP server.
- 17-03-2021 - Vulnerability reported to vendor
- 18-03-2021 - First response from vendor
- 23-03-2021 - First patch release
- 24-03-2021 - Security issues with first patch reported to vendor
- 24-03-2021 - Updated patch for retest received from vendor
- 30-03-2021 - Updated patch release
- 30-08-2021 - Public disclosure