Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-35405: ManageEngine PAM360, Password Manager Pro, and Access Manager Plus remote code execution vulnerability.

Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)

CVE
#vulnerability#rce#auth

Severity : Critical

CVE ID : CVE-2022-35405

This document explains the remote code execution vulnerability identified in the following ManageEngine products,

  1. Unauthenticated remote code execution in ManageEngine Password Manager Pro and PAM360.
  2. Authenticated remote code execution in ManageEngine Access Manager Plus.

The complete fix for this is now available in the below versions,

Product Name

Affected Version(s)

Fixed Version(s)

Fixed On

Access Manager Plus

4302 and below

4303

24-06-2022

Password Manager Pro

12100 and below

12101

24-06-2022

PAM360

5500 and below

5510

23-06-2022

Impact :
This remote code execution vulnerability could allow remote attackers to execute arbitrary code on affected installations of Password Manager Pro, PAM360 and Access Manager Plus. Authentication is not required to exploit this vulnerability in Password Manager Pro and PAM360 products.

We have fixed this vulnerability,

  • By completely removing the vulnerable components from PAM360 and Access Manager Plus.
  • By removing the vulnerable parser from Password Manager Pro.

Caution :
The exploit POC for the above vulnerability is available in public. We strongly recommend our customers to upgrade the instances of Password Manager Pro, PAM360 and Access Manager Plus immediately.

Steps to Upgrade:

  1. Download the latest upgrade pack from the following links for the respective product:
    • PAM360 - https://www.manageengine.com/privileged-access-management/upgradepack.html
    • Password Manager Pro - https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html
    • Access Manager Plus - https://www.manageengine.com/privileged-session-management/upgradepack.html
  2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Acknowledgements:

Reported by Vinicius.

Please contact the product support for further details at the below mentioned email addresses:

Password Manager Pro: [email protected]

Access Manager Plus: [email protected]

PAM360: [email protected]

Related news

CVE-2020-27449: Release Notes - ManageEngine Password Manager Pro

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.

Flaw in some ManageEngine apps is being actively exploited, says CISA

Categories: Exploits and vulnerabilities Categories: News The critical CVE-2022-35405 flaw affects several Zoho ManageEngine products. Federal and private organizations must patch now! (Read more...) The post Flaw in some ManageEngine apps is being actively exploited, says CISA appeared first on Malwarebytes Labs.

CISA: Zoho ManageEngine RCE Bug Is Under Active Exploit

The bug allows unauthenticated code execution on the company's firewall products, and CISA says it poses "significant risk" to federal government.

CISA Warns of Hackers Exploiting Recent Zoho ManageEngine Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a recently disclosed security flaw in Zoho ManageEngine to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. "Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability which allows for remote code execution," the agency

Zoho Password Manager Pro XML-RPC Java Deserialization

This Metasploit module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro before 12101 and PAM360 before 5510. Unauthenticated attackers can send a crafted XML-RPC request containing malicious serialized data to /xmlrpc to gain remote command execution as the SYSTEM user.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907