Security
Response Center

ADManager Plus builds up to 7114 are vulnerable.

1. Run our exploit detection tool

ManageEngine has developed a tool to check if an ADManager Plus installation has been affected by this vulnerability. Follow the below steps to install and run the tool to check your instance.

• Download the ZIP file from here and extract its content to <ADManager Plus installation directory>\bin folder.
• Right-click on the Scan.bat file, and select "Run as administrator".
• If there is a possibility of an exploit, a command prompt window will open and display the following message:

Result: There is a possibility that your ADManager Plus server setup has been exploited. Please upload your logs at https://bonitas2.zohocorp.com and reach out to our Support team support@admanagerplus.com immediately

(or)

2. Manually identify if your installation is affected by checking access log entries Alternatively, you can check for specific log entries manually by following these steps:

In \ManageEngine\ADManager Plus\logs folder, search the access log entries for the below strings:

/../RestAPI/
/..;/RestAPI/
///RestAPI/
/./RestAPI

The image below shows the access log entry:

There is a possibility that your ADManager Plus server setup has been exploited if you find any of the above entries in the logs.

Implement the remediation steps provided below at the earliest possible time.

• If your installation is exploited, follow these steps:
  1. Isolate the machine in which ADManager Plus is installed.
  2. Back up the ADManager Plus database. Download and install ADManager Plus on a different machine and then restore the database backup. For step-by-step information on how to do this, refer to Method 2 on this webpage.
  3. Once the server is functional, upgrade the product to build 7117 or later versions using the service pack from here.
  4. Check for any unauthorized access or usage of your employees' accounts. Also, check for any evidences of lateral movement from the compromised machine to other machines in your environment. If there are any indications of compromised AD accounts, reset the passwords of those accounts.
• If your installation is not exploited
  1. We strongly recommend that you upgrade to the latest build even if your instance is unaffected. Download the service pack from here and the complete build from here.
  2. If you need any additional information, face any issues in performing the recommended steps, or need any help in upgrading your instance to the latest build, please write to us at support@admanagerplus.com. You can also call us at +1-312-471-2233 (toll-free).

Follow the steps below to update ADManager Plus to build 7117 or above:

• Shut down ADManager Plus
  1. If the product runs as an application, click on Start --› All Programs --› ADManager Plus --› Stop ADManager Plus.
  2. If the product runs as a Windows service, click on Start --› Run --› type "services.msc" --› Stop "ManageEngine ADManager Plus".
• Execute the stopDB.bat file under <ADManagerPlusHome>\bin directory.
• Back up ADManager Plus by zipping the contents of <ADManagerPlusHome> directory.
• If you use MS SQL as the Database Server for ADManager Plus, back up the database as well.
• Open Command Prompt and execute the UpdateManager.bat file under <ADManagerPlusHome>\bin directory.
  1. For Windows 7 / Vista / 2008 / 2008 R2 machines with User Account Control enabled, Select "Run as Administrator" while opening the Command Prompt.
• Click Browse and select the .ppm file that you have downloaded.
• Click on Install for the service pack. Depending on the amount of data to be migrated, the installation procedure may take a few minutes. Please do not terminate prematurely.
• Click Close and then Exit to quit Update Manager tool.
• Start ADManager Plus.

To find your current build number, log in to the ADManager Plus web client, and click the "License" link in the top pane. You'll find the build number in the License Details popup.

Currently, there are no workarounds to address this vulnerability. ManageEngine strongly recommends that you update ADManager Plus to the latest build as soon as possible.

The authentication bypass vulnerability has been fixed in ADManager Plus builds 7117 and above.

ManageEngine has also developed an exploit detection tool that makes it easier for users to check if their installation has been affected by this vulnerability. We've also released a security advisory to help you immediately address this vulnerability.

For immediate support regarding this issue, customers can get in touch with us at support@admanagerplus.com or +1-312-471-2233 (toll-free).

Various security enhancements have been made to ADManager Plus. We've also added a provision to check the Product Security Score and take measures to improve the security configurations of the product.