CVE-2022-29081
published 2022-04-28CVE-2022-29081: Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
83.32%
99.6th percentile
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_access_manager_plus | — | — |
| zohocorp | manageengine_access_manager_plus | — | — |
| zohocorp | manageengine_access_manager_plus | — | — |
| zohocorp | manageengine_access_manager_plus | — | — |
| zohocorp | manageengine_pam360 | — | — |
| zohocorp | manageengine_pam360 | — | — |
| zohocorp | manageengine_pam360 | — | — |
| zohocorp | manageengine_pam360 | — | — |
| zohocorp | manageengine_pam360 | — | — |
| zohocorp | manageengine_pam360 | — | — |
| zohocorp | manageengine_pam360 | — | — |
| zohocorp | manageengine_pam360 | — | — |
| zohocorp | manageengine_password_manager_pro | — | — |
| zohocorp | manageengine_password_manager_pro | — | — |
| zohocorp | manageengine_password_manager_pro | — | — |
| zohocorp | manageengine_password_manager_pro | — | — |
| zohocorp | manageengine_password_manager_pro | — | — |
| zohocorp | manageengine_password_manager_pro | — | — |
| zohocorp | manageengine_password_manager_pro | — | — |
| zohocorp | manageengine_password_manager_pro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine API Authentication Bypass (CVE-2022-29081)"; flow:established,to_server; http.uri.raw; content:"/RestAPI/"; fast_pattern; offset:5; pcre:"/(?:(?:\x2e|%(?:25)?2[Ee]){1,2}(?:\x2f|\x5c|%(?:25)?5[Cc]|%(?:25)?2[Ff]){1,})+RestAPI\x2f/I"; reference:url,www.tenable.com/security/research/tra-2022-14; reference:cve,2022-29081; classtype:web-application-attack; sid:2066037; rev:1; metadata:affected_product Zoho_ManageEngine, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_05, cve CVE_2022_29081, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2025_12_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Exploit requests use path traversal via the `../RestAPI` (or URL-encoded variants) substring to bypass access controls on REST API endpoints. Look for URI patterns matching `..` sequences followed by `/RestAPI/` in HTTP requests to ManageEngine products.
- →The Nuclei PoC template sends a POST to `/x/..//RestAPI/LicenseMgr` with body `operation=getLicenseDetails` and expects a 200 response containing JSON keys `BUILD_NO`, `LICENSE_TO`, `VERSION`, and `PRODUCT_NAME` — a successful response confirms unauthenticated access.
- →The Emerging Threats Snort rule (sid:2066037) detects this bypass by matching `/RestAPI/` in the raw HTTP URI at offset 5, combined with a PCRE for dot/slash encoded path traversal sequences (including %2e, %2f, %5c, and double-percent variants) preceding `RestAPI/`.
- →Shodan query `http.title:"manageengine"` can be used to identify internet-exposed ManageEngine instances potentially vulnerable to this CVE.
- ·The Snort rule specifies `tls_state TLSDecrypt` in its metadata, meaning detection of this bypass over HTTPS requires TLS inspection/decryption to be in place on the monitoring sensor.
- ·Affected versions are Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401. Detection rules should be scoped to hosts running these products.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-59xq-494m-chp8: Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass o
ghsa_unreviewed·2022-04-29
CVE-2022-29081 [CRITICAL] CWE-22 GHSA-59xq-494m-chp8: Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass o
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.
VulnCheck
Zoho manageengine_access_manager_plus Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2022·CVSS 9.8
CVE-2022-29081 [CRITICAL] Zoho manageengine_access_manager_plus Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Zoho manageengine_access_manager_plus Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.
Affected: Zoho manageengine_access_manager_plus
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-06&host_type=src&vulnerability=cve-2022-29081; https://das
Suricata
ET WEB_SPECIFIC_APPS Zoho ManageEngine API Authentication Bypass (CVE-2022-29081)
suricata·2025-12-05·CVSS 9.8
CVE-2022-29081 [CRITICAL] ET WEB_SPECIFIC_APPS Zoho ManageEngine API Authentication Bypass (CVE-2022-29081)
ET WEB_SPECIFIC_APPS Zoho ManageEngine API Authentication Bypass (CVE-2022-29081)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine API Authentication Bypass (CVE-2022-29081)"; flow:established,to_server; http.uri.raw; content:"/RestAPI/"; fast_pattern; offset:5; pcre:"/(?:(?:\x2e|%(?:25)?2[Ee]){1,2}(?:\x2f|\x5c|%(?:25)?5[Cc]|%(?:25)?2[Ff]){1,})+RestAPI\x2f/I"; reference:url,www.tenable.com/security/research/tra-2022-14; reference:cve,2022-29081; classtype:web-application-attack; sid:2066037; rev:1; metadata:affected_product Zoho_ManageEngine, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_05, cve CVE_2022_29081, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2025_
Nuclei
Zoho ManageEngine - Access Control Bypass
nuclei·CVSS 9.8
CVE-2022-29081 [CRITICAL] Zoho ManageEngine - Access Control Bypass
Zoho ManageEngine - Access Control Bypass
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.
Template:
id: CVE-2022-29081
info:
name: Zoho ManageEngine - Access Control Bypass
author: 0xanis
severity: critical
description: |
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.
impact: |
No writeups or analysis indexed.
2022-04-28
Published
Exploited in the wild