CVE-2022-28219
Description
An unauthenticated XXE vulnerability in the Cewolf charting library in ManageEngine ADAudit Plus before build 7060 allows remote code execution via chained attacks including Java deserialization and path traversal.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated XXE vulnerability in the Cewolf charting library in ManageEngine ADAudit Plus before build 7060 allows remote code execution via chained attacks including Java deserialization and path traversal.
Vulnerability
The vulnerability resides in the Cewolf charting library's CewolfRenderer servlet exposed at /cewolf endpoint in ManageEngine ADAudit Plus versions before build 7060. It involves an unauthenticated blind XML External Entities (XXE) injection, combined with untrusted Java deserialization and path traversal in the FileStorage class. The XXE can be used to write a malicious serialized Java object to an arbitrary location on disk, which is then deserialized by the same endpoint, leading to code execution. [1][3]
Exploitation
An unauthenticated attacker can send a crafted HTTP request to the /cewolf endpoint with a malicious XML payload containing an external entity that writes a serialized Java object to a chosen file path. The attacker must also provide a valid img parameter to specify the file path for deserialization. The Cewolf library does not sanitize the img parameter, allowing path traversal. The attacker can then trigger deserialization of the uploaded payload, executing arbitrary code. No authentication or user interaction is required. [1]
Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary code on the ADAudit Plus server with the privileges of the application (typically SYSTEM or a high-privilege service account). This can lead to full compromise of the server and, due to the application's privileged access to Active Directory, potential escalation to domain administrator privileges. [1][3]
Mitigation
The vulnerability is fixed in ADAudit Plus build 7060, released on March 30, 2022. Users should upgrade to build 7065 or later. No workarounds are available. The vendor has also released an exploit detection tool. Public proof-of-concept exploit code is available, and the vulnerability is likely to be exploited. [3]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Zoho ManageEngine/ADAudit Plusdescription
- Range: <7060
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Vulnerable API endpoints in ADAudit Plus allow an unauthenticated attacker to exploit XML External Entities (XXE), Java deserialization, and path traversal, which can be chained for remote code execution."
Attack vector
An unauthenticated attacker sends crafted requests to vulnerable API endpoints in ADAudit Plus. By chaining XML External Entity (XXE) injection with Java deserialization and path traversal, the attacker can achieve remote code execution on the server [ref_id=1]. The advisory confirms that a proof-of-concept exploit is publicly available, indicating the attack chain is practical and weaponized [ref_id=1].
Affected code
The advisory states that "ADAudit Plus had some vulnerable API endpoints" that allowed exploitation of XML External Entities (XXE), Java deserialization, and path traversal vulnerabilities [ref_id=1]. The specific endpoint paths or function names are not disclosed in the advisory.
What the fix does
The vulnerability is fixed in ADAudit Plus build 7060, released on March 30, 2022 [ref_id=1]. The advisory does not provide a patch diff or code-level details, but states that the vulnerable API endpoints were remediated to prevent XXE, deserialization, and path traversal attacks [ref_id=1]. Users are instructed to upgrade to build 7065 via the service pack [ref_id=1].
Preconditions
- authNo authentication required; the attacker can be unauthenticated.
- networkNetwork access to the ADAudit Plus web console.
- configThe target must be running an ADAudit Plus build below 7060.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- cewolf.sourceforge.net/new/index.htmlmitrex_refsource_MISC
- packetstormsecurity.com/files/167997/ManageEngine-ADAudit-Plus-Path-Traversal-XML-Injection.htmlmitrex_refsource_MISC
- manageengine.commitrex_refsource_MISC
- www.horizon3.ai/red-team-blog-cve-2022-28219/mitrex_refsource_MISC
- www.manageengine.com/products/active-directory-audit/cve-2022-28219.htmlmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.