Zoho has released a security update addressing a critical SQL injection vulnerability in its ADAudit Plus software that allowed an attacker with authenticated access to the system to execute arbitrary SQL queries.
The flaw, identified as CVE-2024-49574 with a CVSS score of 8.3, affects all builds of ADAudit Plus before version 8123 found in the software’s report generation feature, which could be exploited by an authenticated attacker could potentially access or manipulate database table entries and extract sensitive information from the database.
According to a report from ManageEngine, the impact of this vulnerability is particularly concerning due to its potential to be leveraged for unauthorized database access. Once exploited, the attacker could retrieve, modify, or delete critical audit data, undermining the integrity of Active Directory monitoring and potentially leading to further security breaches.
The vulnerability was resolved with the release of version 8123 on November 8, 2024. The update can be applied using the service pack available from the official website or through the product’s update mechanism.
