- CISA has added the ManageEngine vulnerability to its Known Exploited Vulnerabilities Catalog urging federal agencies to patch it.
- The flaw allows attackers to gain remote code execution on servers running unpatched Zoho ManageEngine PAM360 and Password Manager Pro or Access Manager Plus.
- ManageEngine released the patched version on the 23rd and 24th of June and proof-of-concept is available publicly.
The Cybersecurity and Infrastructure Security Agency has added the ManageEngine vulnerability to its Known Exploited Vulnerabilities Catalog. The Java deserialization vulnerability, tracked as CVE-2022-35405, can cause attackers to gain remote code execution on servers running unpatched Zoho ManageEngine PAM360 and Password Manager Pro or Access Manager Plus.
Remote code execution
ManageEngine published an advisory about the vulnerability. Affected versions are:
- Access Manager Plus: 4302 and below
- Password Manager Pro: 12100 and below
- PAM360: 5500 and below
The affected versions are fixed on the 23rd and 24th of June. The flaw allows third parties to execute arbitrary code on affected installations of Password Manager Pro, PAM360, and Access Manager Plus. Authentication is not required to exploit this vulnerability in Password Manager Pro and PAM360 products. The company has fixed the vulnerability:
- By completely removing the vulnerable components from PAM360 and Access Manager Plus.
- By removing the vulnerable parser from Password Manager Pro.
The proof-of-concept is currently available in public, thus, the company urges all users to upgrade the instances of Password Manager Pro, PAM360, and Access Manager Plus immediately. CISA also added the vulnerability to its KEV catalog, urging all Federal Civilian Executive Branch Agencies agencies to patch their systems before October 13th according to the binding operational directive.