Headline
Flaw in some ManageEngine apps is being actively exploited, says CISA
Categories: Exploits and vulnerabilities Categories: News The critical CVE-2022-35405 flaw affects several Zoho ManageEngine products. Federal and private organizations must patch now!
(Read more…)
The post Flaw in some ManageEngine apps is being actively exploited, says CISA appeared first on Malwarebytes Labs.
CISA (the Cybersecurity and Infrastructure Security Agency) recently added CVE-2022-35405—a remote code execution(RCE) vulnerability affecting Zoho ManageEngine PAM360 (versions 5500 and earlier), Password Manager Pro (versions 12100 and earlier), and Access Manager Plus (versions 4302 and earlier)—to its Known Exploited Vulnerabilities (KEV) Catalog, a list of known CVEs that carry significant risk to the federal enterprise. Doing this forces all Federal Civilian Executive Branch Agencies (FCEB) to patch this bug.
According to BleepingComputer, federal agencies that may be affected by CVE-2022-35405 have until October 13 to ensure they’re patched and their networks are protected from attacks leveraging this vulnerability.
CVE-2022-35405 is a critical vulnerability. When exploited, attackers can execute potentially malicious code on affected installations of ManageEngine software—without authentication for Password Manager Pro and PAM360, and with authentication for Access Manager Plus.
Researcher Vinicius Pereira first flagged this vulnerability in June 2022. Since then, several PoCs (proofs-of-concepts) and a Metasploit module for it have been made public.
ManageEngine “strongly recommends” that its clients upgrade their affected software as soon as possible. The company pointed to the following locations where customers can download updates:
- Access Manager Plus - https://www.manageengine.com/privileged-session-management/upgradepack.html
- PAM360 - https://www.manageengine.com/privileged-access-management/upgradepack.html
- Password Manager Pro - https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html
While private organizations don’t have a ruling requiring them to patch noteworthy flaws, CISA still urges them to patch as soon as they can.
Related news
Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.
The bug allows unauthenticated code execution on the company's firewall products, and CISA says it poses "significant risk" to federal government.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a recently disclosed security flaw in Zoho ManageEngine to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. "Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability which allows for remote code execution," the agency
This Metasploit module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro before 12101 and PAM360 before 5510. Unauthenticated attackers can send a crafted XML-RPC request containing malicious serialized data to /xmlrpc to gain remote command execution as the SYSTEM user.
Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)