CVE-2022-35405
published 2022-07-19CVE-2022-35405: Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-10-13
Exploited in the wild
EPSS
99.94%
100.0th percentile
Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_access_manager_plus | < 4.3 | 4.3 |
| zohocorp | manageengine_access_manager_plus | — | — |
| zohocorp | manageengine_pam360 | < 5.5 | 5.5 |
| zohocorp | manageengine_pam360 | — | — |
| zohocorp | manageengine_password_manager_pro | < 12.1 | 12.1 |
| zohocorp | manageengine_password_manager_pro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
HTTP POST to /xmlrpc endpoint on ManageEngine products returning 'faultString' with 'No such service' or 'No such handler' in response body
- →Monitor for unauthenticated HTTP POST requests to the /xmlrpc endpoint on ManageEngine Password Manager Pro, PAM360, and Access Manager Plus instances. ↗
- →Probe/exploit traffic can be fingerprinted by a POST body containing XML-RPC methodCall structure and a response body containing 'faultString' alongside 'No such service' or 'No such handler'. ↗
- →Use Shodan/FOFA/Google dorks to identify exposed ManageEngine instances: Shodan queries 'http.title:"ManageEngine"', FOFA 'title="manageengine"', Google 'intitle:"manageengine"'. ↗
- →Exploitation results in code execution as the SYSTEM user on Windows; look for anomalous child processes spawned by the ManageEngine service process. ↗
- ·Access Manager Plus requires authentication to exploit, unlike Password Manager Pro and PAM360 which are vulnerable to unauthenticated RCE. ↗
- ·Vulnerable version thresholds: Password Manager Pro before 12101, PAM360 before 5510, Access Manager Plus before 4303. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j9c5-6p9g-hwf3: Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution
ghsa_unreviewed·2022-07-20
CVE-2022-35405 [CRITICAL] CWE-502 GHSA-j9c5-6p9g-hwf3: Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution
Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)
VulnCheck
Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-35405 [CRITICAL] CWE-502 Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability that allows for remote code execution.
Affected: Zoho ManageEngine
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/b3c77689953e
Remediation Due: 2022-10-13
CISA
Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
cisa·2022-09-22·CVSS 9.8
CVE-2022-35405 [CRITICAL] CWE-502 Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
Vulnerability: Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
Affected: Zoho ManageEngine
Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability that allows for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html; https://nvd.nist.gov/vuln/detail/CVE-2022-35405
Remediation Due Date: 2022-10-13
No detection rules found.
Metasploit
Zoho Password Manager Pro XML-RPC Java Deserialization
metasploit
Zoho Password Manager Pro XML-RPC Java Deserialization
Zoho Password Manager Pro XML-RPC Java Deserialization
This module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro before 12101 and PAM360 before 5510. Unauthenticated attackers can send a crafted XML-RPC request containing malicious serialized data to /xmlrpc to gain RCE as the SYSTEM user.
Nuclei
Zoho ManageEngine - Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-35405 [CRITICAL] Zoho ManageEngine - Remote Code Execution
Zoho ManageEngine - Remote Code Execution
Zoho ManageEngine Password Manager Pro, PAM 360, and Access Manager Plus are susceptible to unauthenticated remote code execution via XML-RPC. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Template:
id: CVE-2022-35405
info:
name: Zoho ManageEngine - Remote Code Execution
author: viniciuspereiras,true13
severity: critical
description: |
Zoho ManageEngine Password Manager Pro, PAM 360, and Access Manager Plus are susceptible to unauthenticated remote code execution via XML-RPC. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessar
Tenable
CVE-2022-47523: ManageEngine Password Manager Pro, PAM360 and Access Manager Plus SQL Injection Vulnerability
blogs_tenable·2023-01-05·CVSS 9.8
[CRITICAL] CVE-2022-47523: ManageEngine Password Manager Pro, PAM360 and Access Manager Plus SQL Injection Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
October 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities With 13 Critical, Plus 12 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 29 Vulnerabilities With 17 Critical. | Qualys
blogs_qualys·2022-10-11·CVSS 7.8
[HIGH] October 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities With 13 Critical, Plus 12 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 29 Vulnerabilities With 17 Critical. | Qualys
#### Table of Contents
- Microsoft Patch Tuesday Summary
- Microsoft Exchange ProxyNotShell Zero-Days Not Yet Addressed (QID 50122)
- The October 2022 Microsoft Vulnerabilities Are Classified As Follows:
- Two Zero-Day Vulnerabilities Addressed
- Microsoft Critical Vulnerability Highlights
- Microsoft Release Summary
- Microsoft Edge | Last But Not Least
- Adobe Security Bulletins and Advisories
- About Qualys Patch Tuesday
- Qualys Threat Research Blog Posts
- Qualys Threat Protection High-Rated Advisories
- Discover and Prioritize Vulnerabilities in Vulnerability Management Detection Response(VMDR)
- Rapid Response With Patch Management (PM)
- EXECUTE Mitigation Using Custom Assessment and Remediation (CAR)
- EVALUATE Vendor-Suggested Mitigation With Policy Compliance (PC)
- This Month
Qualys
October 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities With 13 Critical, Plus 12 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 29 Vulnerabilities With 17 Critical.
blogs_qualys·2022-10-11·CVSS 7.8
[HIGH] October 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities With 13 Critical, Plus 12 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 29 Vulnerabilities With 17 Critical.
## Table of Contents
Microsoft Patch Tuesday Summary
Microsoft Exchange ProxyNotShell Zero-Days Not Yet Addressed (QID 50122)
The October 2022 Microsoft Vulnerabilities Are Classified As Follows:
Two Zero-Day Vulnerabilities Addressed
Microsoft Critical Vulnerability Highlights
Microsoft Release Summary
Microsoft Edge | Last But Not Least
Adobe Security Bulletins and Advisories
About Qualys Patch Tuesday
Qualys Threat Research Blog Posts
Qualys Threat Protection High-Rated Advisories
Discover and Prioritize Vulnerabilities in Vulnerability Management Detection Response(VMDR)
Rapid Response With Patch Management (PM)
EXECUTE Mitigation Using Custom Assessment and Remediation (CAR)
EVALUATE Vendor-Suggested Mitigation With Policy Compliance (PC)
This Month in Vulnerabilities
http://packetstormsecurity.com/files/167918/Zoho-Password-Manager-Pro-XML-RPC-Java-Deserialization.htmlhttps://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.htmlhttp://packetstormsecurity.com/files/167918/Zoho-Password-Manager-Pro-XML-RPC-Java-Deserialization.htmlhttps://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-35405
2022-07-19
Published
2022-09-22
Added to CISA KEV
Exploited in the wild