CVE-2022-29457
CVE-2022-29457
Vexday Risk Score
23Low
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Public proof of concept exists, but not yet automated.
CVSS —EPSS 7.9%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
18 Apr 2022Published on NVD
11 May 2022Public PoC
Weaponization speed
22 daysto first PoC
Recommendation: Plan a near-term fix — a public PoC already exists.
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.
Affected products
n/a · n/apublic PoCs found — 2
cve_referencepacketstormsecurity.com/files/167051/ManageEngine-ADSelfService-Plus-Build-6118-NTLMv2-Hash-Exposure.htmlunverifiedexploitdbwww.exploit-db.com/exploits/50904unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
http://packetstormsecurity.com/files/167051/ManageEngine-ADSelfService-Plus-Build-6118-NTLMv2-Hash-Exposure.htmlhttps://docs.unsafe-inline.com/0day/multiple-manageengine-applications-critical-information-disclosure-vulnerabilityhttps://www.manageengine.com/products/self-service-password/release-notes.html