cbcvebase.
CVE-2022-29081
published 2022-04-28

CVE-2022-29081: Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
83.32%
99.6th percentile
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.

Affected

20 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_access_manager_plus
zohocorpmanageengine_access_manager_plus
zohocorpmanageengine_access_manager_plus
zohocorpmanageengine_access_manager_plus
zohocorpmanageengine_pam360
zohocorpmanageengine_pam360
zohocorpmanageengine_pam360
zohocorpmanageengine_pam360
zohocorpmanageengine_pam360
zohocorpmanageengine_pam360
zohocorpmanageengine_pam360
zohocorpmanageengine_pam360
zohocorpmanageengine_password_manager_pro
zohocorpmanageengine_password_manager_pro
zohocorpmanageengine_password_manager_pro
zohocorpmanageengine_password_manager_pro
zohocorpmanageengine_password_manager_pro
zohocorpmanageengine_password_manager_pro
zohocorpmanageengine_password_manager_pro
zohocorpmanageengine_password_manager_pro

Detection & IOCsextracted from sources · hover to see the quote

url/x/..//RestAPI/LicenseMgr
path../RestAPI
commandoperation=getLicenseDetails
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine API Authentication Bypass (CVE-2022-29081)"; flow:established,to_server; http.uri.raw; content:"/RestAPI/"; fast_pattern; offset:5; pcre:"/(?:(?:\x2e|%(?:25)?2[Ee]){1,2}(?:\x2f|\x5c|%(?:25)?5[Cc]|%(?:25)?2[Ff]){1,})+RestAPI\x2f/I"; reference:url,www.tenable.com/security/research/tra-2022-14; reference:cve,2022-29081; classtype:web-application-attack; sid:2066037; rev:1; metadata:affected_product Zoho_ManageEngine, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_05, cve CVE_2022_29081, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2025_12_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit requests use path traversal via the `../RestAPI` (or URL-encoded variants) substring to bypass access controls on REST API endpoints. Look for URI patterns matching `..` sequences followed by `/RestAPI/` in HTTP requests to ManageEngine products.
  • The Nuclei PoC template sends a POST to `/x/..//RestAPI/LicenseMgr` with body `operation=getLicenseDetails` and expects a 200 response containing JSON keys `BUILD_NO`, `LICENSE_TO`, `VERSION`, and `PRODUCT_NAME` — a successful response confirms unauthenticated access.
  • The Emerging Threats Snort rule (sid:2066037) detects this bypass by matching `/RestAPI/` in the raw HTTP URI at offset 5, combined with a PCRE for dot/slash encoded path traversal sequences (including %2e, %2f, %5c, and double-percent variants) preceding `RestAPI/`.
  • Shodan query `http.title:"manageengine"` can be used to identify internet-exposed ManageEngine instances potentially vulnerable to this CVE.
  • ·The Snort rule specifies `tls_state TLSDecrypt` in its metadata, meaning detection of this bypass over HTTPS requires TLS inspection/decryption to be in place on the monitoring sensor.
  • ·Affected versions are Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401. Detection rules should be scoped to hosts running these products.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.