H3-2022-0034
Anonymous Access to Zoho ManageEngine ADManager Plus Employee Search
Category | SECURITY_MISCONFIGURATION |
Base Score | 5.0 |
Description
'AD Search' is located in ADManager Plus' the login page. This is an 'Employee Search' or 'People Finder' option to search for users or information about users in your Active Directory. You don't have to be logged-in to use this 'AD Search' by default.
Impact
This feature can be abused by unauthenticated users to enumerate all accounts in AD. Attackers will compile user lists to conduct further credential attacks.