1. Introduction
ManageEngine ADSelfService Plus uses default administrative credentials (‘admin’ / ‘admin’) to protect access to its management interface. This allows a remote attacker to gain full administrative control of the application if they can reach it over the network. Successful exploitation could lead to complete compromise of the system, including data theft and modification. Confidentiality, integrity, and availability are all at risk.
2. Technical Explanation
The instance of ManageEngine ADSelfService Plus running on a remote web server uses default credentials for initial access. An attacker can exploit this by attempting to log in with these known credentials. This is possible because the application does not enforce strong password policies or require credential changes during installation.
- Root cause: Use of hardcoded, weak default administrative credentials.
- Exploit mechanism: An attacker attempts to authenticate using ‘admin’ / ‘admin’. If successful, they gain full control over the ADSelfService Plus instance.
- Scope: ManageEngine ADSelfService Plus versions prior to those with patched default credential behaviour.
3. Detection and Assessment
You can confirm if a system is vulnerable by checking the application version and verifying whether the default credentials are still active. A thorough method involves attempting to log in using the default credentials.
- Quick checks: Access the ADSelfService Plus login page. Check the ‘About’ section for the installed version.
- Scanning: Nessus plugin ID 16378 can detect this vulnerability as an example.
- Logs and evidence: Examine application logs for successful logins using the ‘admin’ account. Log files are typically located in the ADSelfService Plus installation directory under the ‘logs’ folder.
# No command available to directly check credentials without attempting login.4. Solution / Remediation Steps
To fix this issue, log into the application and change the default login credentials using the ‘Personalize’ feature.
4.1 Preparation
- Dependencies: Access to the application management interface with administrative privileges. Roll back plan: Restore the database from backup if necessary.
- Change window needs: A short maintenance window may be required. Approval from IT security team is recommended.
4.2 Implementation
- Step 1: Log into the ADSelfService Plus web interface using the default credentials (‘admin’ / ‘admin’).
- Step 2: Navigate to Administration > Personalize.
- Step 3: Change the Administrator Username and Password.
- Step 4: Save the changes.
- Step 5: Log out and log back in using the new credentials to verify the change.
4.3 Config or Code Example
Before
Username: admin
Password: adminAfter
Username: new_admin_username
Password: strong_new_password4.4 Security Practices Relevant to This Vulnerability
List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice.
- Practice 1: Safe defaults – avoid using default credentials in any application or service.
- Practice 2: Strong password policies – enforce complex passwords and regular credential rotation.
4.5 Automation (Optional)
No suitable automation script is available for this vulnerability due to the need for interactive login and UI changes.
5. Verification / Validation
- Post-fix check: Attempt to log into ADSelfService Plus using ‘admin’ / ‘admin’. The login should fail.
- Re-test: Repeat the initial detection method (attempting login with default credentials) and confirm it no longer succeeds.
- Monitoring: Monitor application logs for failed login attempts using ‘admin’ or other common usernames.
# No command available to directly check credentials without attempting login.6. Preventive Measures and Monitoring
Update security baselines to include a requirement for changing default credentials during application installation. Implement regular patch management processes.
- Baselines: Update your security baseline or policy to require immediate credential changes for all new applications, including ManageEngine ADSelfService Plus.
- Pipelines: Include checks in deployment pipelines to verify that default credentials are not present in configuration files.
- Asset and patch process: Implement a regular patch cycle for all software assets, prioritizing critical vulnerabilities like this one.
7. Risks, Side Effects, and Roll Back
Changing the administrator password could temporarily disrupt access if the new credentials are forgotten or lost. Ensure you have documented the new credentials securely.
- Risk or side effect 1: Loss of administrative access if new credentials are not remembered. Mitigation: Document the new credentials in a secure location.
- Roll back: Restore the database from backup to revert to the previous state, including the default credentials.
8. References and Resources
Link only to sources that match this exact vulnerability.
- Vendor advisory or bulletin: ManageEngine ADSelfService Plus Default Credentials Vulnerability
- NVD or CVE entry: CVE-2019-6134
- Product or platform documentation relevant to the fix: ManageEngine ADSelfService Plus – Personalizing Your Application