Research & Development
$ #


Unauthenticated and authenticated RCE via PowerShell injection - system locale dependant

8.1 (High)


ManageEngine ADSelfService Plus

< 6105

Krzysztof Andrusiak and Marcin Ogorzelski

In some cases user password change is done using PowerShell script. User credentials inserted into such script are not properly sanitized, leading to PowerShell script injection and remote code execution. This vulnerability is exploitable only when ADSSP is installed on certain versions of Windows (system language/locale dependant).

  1. Download and modify the following values in the script:
    URL - ADSSP address (running on Japanese Windows)
    DOMAIN - Active Directory domain configured in ADSSP
    CMD - command to be executed on the ADSSP server
  2. Execute script (using Python 3 interpreter).
  3. Command defined in CMD variable will be executed on ADSSP server.
  • 07-05-2021 - Vulnerability reported to vendor
  • 07-05-2021 - First response from vendor
  • 18-05-2021 - Patch for retest received from vendor
  • 26-05-2021 - Fixed version release
  • 30-08-2021 - Public disclosure