Is CVE-2022-28810 actively exploited?

CVE-2022-28810 has no public evidence of in-the-wild exploitation as of 2025-10-31.

What is the CVSS score for CVE-2022-28810?

CVE-2022-28810 has a CVSS score of 6.8 (MEDIUM severity). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H.

How do I patch CVE-2022-28810?

Patch guidance is available from zohocorp security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2022-28810.

CVE-2022-28810 - remediation guidance & executive summary

Q: Which products are affected by CVE-2022-28810?

24 products: zohocorp manageengine adselfservice plus, zohocorp manageengine adselfservice plus, zohocorp manageengine adselfservice plus, zohocorp manageengine adselfservice plus, zohocorp manageengine adselfservice plus, and 19 more.

Description

Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Attack Vector: network
Complexity: low
Privileges: high
User Action: required
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-78 · OS Command Injection CWE-798 · Hard-coded Credentials CWE-798 · Hard-coded Credentials

Metadata

Primary Vendor: ZOHOCORP
Published: 4/18/2022
Last Modified: 10/31/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

zohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_pluszohocorp : manageengine_adselfservice_plus

Remediation Guidance

Executive Summary

View on NIST NVD