In June Zoho announced critical RCE vulnerabilities in their ManageEngine PAM360, Password Manager Pro, and Access Manager Plus software (CVE-2022-35405). While updates were published by Zoho on June 24, 2022, on September 22, 2022 CISA reclassified this vulnerability to “Currently under active exploit and now poses a significant risk to the federal government”. This vulnerability has a published Proof-of-Concept exploit code publicly available making exploitation easy for a potential attacker. The vulnerability in Access Manager Plus requires authentication, while the other application vulnerabilities can be exploited without authentication.
If you are using any of these ManageEngine products please use the following links for the NIST CVE Detail page and Zoho’s ManageEngine advisory page for the CVE with instructions for remediating the vulnerability.
NIST CVE-2022-35405 Detail Page: https://nvd.nist.gov/vuln/detail/CVE-2022-35405
ManageEngine Advisory page for CVE-2022-35405: https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html
