CVE-2026-1367 identifies an authenticated SQL Injection vulnerability in Zohocorp's ManageEngine ADSelfService Plus product, affecting versions 6522 and earlier. The vulnerability resides in the search report feature, where improper neutralization of special SQL elements allows an attacker with legitimate access to inject arbitrary SQL commands. This flaw corresponds to CWE-89, indicating improper input sanitization leading to SQL Injection. Exploitation requires low privileges (authenticated user) but no user interaction beyond authentication, and the attack vector is network-based. The CVSS v3.1 score is 8.3, reflecting high impact on confidentiality and integrity, with limited impact on availability. Successful exploitation could allow attackers to read, modify, or delete sensitive data within the backend database, potentially compromising user credentials, configuration data, or audit logs. Although no public exploits have been reported yet, the vulnerability's presence in a widely used enterprise self-service password management tool raises concerns about targeted attacks. The lack of available patches at the time of disclosure necessitates immediate risk mitigation through compensating controls. The vulnerability was reserved in January 2026 and published in February 2026, indicating recent discovery and disclosure.

The vulnerability poses a significant risk to organizations using ManageEngine ADSelfService Plus, as it enables attackers with valid credentials to perform SQL Injection attacks. This can lead to unauthorized disclosure of sensitive information, including user credentials and internal configuration data, undermining confidentiality. Integrity is also at risk since attackers can alter or delete data, potentially disrupting authentication workflows or audit trails. Although availability impact is low, partial service disruption could occur if database integrity is compromised. The exploitation ease is moderate due to the requirement for authentication but no user interaction, making insider threats or compromised accounts particularly dangerous. Organizations relying on ADSelfService Plus for password self-service and identity management could face escalated risks of lateral movement, privilege escalation, and data breaches. The absence of known exploits currently limits immediate widespread impact, but the vulnerability's high severity score and critical role of the affected product in IT infrastructure elevate the threat level.

Organizations should prioritize the following mitigation steps: 1) Monitor vendor communications closely for official patches and apply them immediately upon release. 2) Restrict access to ADSelfService Plus interfaces to trusted networks and users, employing network segmentation and firewall rules. 3) Enforce strong authentication and account management policies to reduce the risk of compromised credentials. 4) Implement Web Application Firewalls (WAFs) with custom rules to detect and block SQL Injection patterns targeting the search report functionality. 5) Conduct thorough input validation and sanitization on all user-supplied data, especially within custom integrations or extensions. 6) Enable detailed logging and monitoring of database queries and application logs to detect anomalous activities indicative of injection attempts. 7) Regularly audit user privileges to ensure least privilege principles are enforced. 8) Consider temporary disabling or limiting the search report feature if feasible until patches are available. These measures collectively reduce the attack surface and limit potential exploitation vectors.