Zoho has released patches for a critical remote code execution vulnerability in its ManageEngine PAM360, Password Manager Pro, and Access Manager Plus. CISA also added the vulnerability (CVE-2022-35405) to its Known Exploited Vulnerabilities (KEV) Catalog.
The advisory strongly recommends users update to the latest versions of PAM360, Access Manager Plus, and Password Manager Pro as the proof of concept (PoC) exploit code for the vulnerability is available publicly.
ManageEngine PAM360 provides a complete solution to control, manage, and audit the entire life cycle of privileged accounts and their access.
ManageEngine Password Manager Pro comes with a secure vault for storing and managing shared sensitive information such as passwords, documents, and digital identities of enterprises.
Access Manager Plus is an enterprise-ready solution for security administrators. This tool allows direct, granular access to critical systems spanning the entire infrastructure, and manages privileged sessions with real-time auditing controls.
No authentication is required for exploiting the vulnerability in ManageEngine Password Manager Pro and PAM360, while authentication is required in the case of ManageEngine Access Manager Plus.
Zoho has fixed this vulnerability by removing:
- The vulnerable components from PAM360 and Access Manager Plus
- The vulnerable parser from Password Manager Pro
- PAM360 build version 5500 and earlier
- Access Manager Plus build version 4302 and earlier
- Password Manager Pro build version 12100 and earlier
Customers are recommended to upgrade to the latest versions mentioned below:
- PAM360 version 5510
- Access Manager Plus version 4303
- Password Manager Pro version 12101
The patched versions can be downloaded from:
- PAM360 – https://www.manageengine.com/privileged-access-management/upgradepack.html
- Password Manager Pro – https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html
- Access Manager Plus – https://www.manageengine.com/privileged-session-management/upgradepack.html
For more information, refer to the Zoho ManageEngine ADAudit Plus Security Advisory.
Qualys customers can scan their devices with QID 377607 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.