Rapid7 Vulnerability & Exploit Database

ManageEngine ADManager Plus ChangePasswordAction Authenticated Command Injection

Back to Search

ManageEngine ADManager Plus ChangePasswordAction Authenticated Command Injection



ManageEngine ADManager Plus prior to build 7181 is vulnerable to an authenticated command injection due to insufficient validation of user input when performing the ChangePasswordAction function before passing it into a string that is later used as an OS command to execute. By making a POST request to /api/json/admin/saveServerSettings with a params POST parameter containing a JSON array object that has a USERNAME or PASSWORD element containing a carriage return and newline, followed by the command the attacker wishes to execute, an attacker can gain RCE as the user running ADManager Plus, which will typically be the local administrator. Note that the attacker must be authenticated in order to send requests to /api/json/admin/saveServerSettings, so this vulnerability does require authentication to exploit. As this exploit modifies the HTTP proxy settings for the entire server, one cannot use fetch payloads with this exploit, since these will use HTTP connections that will be affected by the change in configuration.


  • Simon Humbert
  • Dinh Hoang
  • Grant Willcox






Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/http/manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection
msf exploit(manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection) > show targets
msf exploit(manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection) > set TARGET < target-id >
msf exploit(manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection) > show options
    ...show and set options...
msf exploit(manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security