Rapid7 Vulnerability & Exploit Database

ManageEngine ADSelfService Plus Custom Script Execution

Back to Search

ManageEngine ADSelfService Plus Custom Script Execution



This module exploits the "custom script" feature of ADSelfService Plus. The feature was removed in build 6122 as part of the patch for CVE-2022-28810. For purposes of this module, a "custom script" is arbitrary operating system command execution. This module uses an attacker provided "admin" account to insert the malicious payload into the custom script fields. When a user resets their password or unlocks their account, the payload in the custom script will be executed. The payload will be executed as SYSTEM if ADSelfService Plus is installed as a service, which we believe is the normal operational behavior. This is a passive module because user interaction is required to trigger the payload. This module also does not automatically remove the malicious code from the remote target. Use the "TARGET_RESET" operation to remove the malicious custom script when you are done. ADSelfService Plus uses default credentials of "admin":"admin"


  • Jake Baines
  • Hernan Diaz
  • Andrew Iwamaye
  • Dan Kelley






Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/http/manageengine_adselfservice_plus_cve_2022_28810
msf exploit(manageengine_adselfservice_plus_cve_2022_28810) > show targets
msf exploit(manageengine_adselfservice_plus_cve_2022_28810) > set TARGET < target-id >
msf exploit(manageengine_adselfservice_plus_cve_2022_28810) > show options
    ...show and set options...
msf exploit(manageengine_adselfservice_plus_cve_2022_28810) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security