Research & Development
$ #


Domain administrator takeover via machine account creation

9.0 (Critical)


ManageEngine ADSelfService Plus

< 6112

Krzysztof Andrusiak and Marcin Ogorzelski

It is possible to log in as Administrator (or any other user) to ADSSP by creating machine account named " Administrator" (with leading space) and then using it to log in to ADSSP. In such case user will be logged in as "Administrator" (without leading space). By modifying 2FA question answers user can change password of "Administrator" domain user, effectively leading to AD domain compromise. This attack can be done by any low-privileged AD user since by default any user can create up to 10 machine accounts in the domain.

  • 07-05-2021 - Vulnerability reported to vendor
  • 07-05-2021 - First response from vendor
  • 26-08-2021 - Fixed version release
  • 04-10-2023 - Public disclosure