Security
Headlines
HeadlinesLatestCVEs

Headline

ManageEngine ADManager Plus Privilege Escalation

ManageEngine ADManager Plus builds prior to 7210 suffers from a privilege escalation vulnerability.

Packet Storm
#vulnerability#ldap#auth
# Exploit Title: ManageEngine ADManager Plus Build < 7210 Elevation of Privilege Vulnerability# Exploit Author: Metin Yunus Kandemir# Vendor Homepage: https://www.manageengine.com/# Software Link: https://www.manageengine.com/products/ad-manager/# Details: https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409# Version: ADManager Plus Build < 7210# Tested against: Build 7203# CVE: CVE-2024-24409# DescriptionThe Modify Computers is a predefined role in ADManager for managing computers. If a technician user has the Modify Computers privilegeover a computer can change the userAccountControl and msDS-AllowedToDelegateTo attributes of the computer object. In this way, the technician user can set Constrained Kerberos Delegation over any computer within the Organizational Unit that the user was delegated so that the attacker can perform DCSync after setting Constrained Kerberos Delegation over a computer for LDAP service of a Domain Controller server.# Proof Of Concepthttps://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution