cbcvebase.
CVE-2022-35405
published 2022-07-19

CVE-2022-35405: Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-10-13
Exploited in the wild
EPSS
99.94%
100.0th percentile
Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)

Affected

6 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_access_manager_plus< 4.34.3
zohocorpmanageengine_access_manager_plus
zohocorpmanageengine_pam360< 5.55.5
zohocorpmanageengine_pam360
zohocorpmanageengine_password_manager_pro< 12.112.1
zohocorpmanageengine_password_manager_pro

Detection & IOCsextracted from sources · hover to see the quote

url/xmlrpc
sigma
HTTP POST to /xmlrpc endpoint on ManageEngine products returning 'faultString' with 'No such service' or 'No such handler' in response body
  • Monitor for unauthenticated HTTP POST requests to the /xmlrpc endpoint on ManageEngine Password Manager Pro, PAM360, and Access Manager Plus instances.
  • Probe/exploit traffic can be fingerprinted by a POST body containing XML-RPC methodCall structure and a response body containing 'faultString' alongside 'No such service' or 'No such handler'.
  • Use Shodan/FOFA/Google dorks to identify exposed ManageEngine instances: Shodan queries 'http.title:"ManageEngine"', FOFA 'title="manageengine"', Google 'intitle:"manageengine"'.
  • Exploitation results in code execution as the SYSTEM user on Windows; look for anomalous child processes spawned by the ManageEngine service process.
  • ·Access Manager Plus requires authentication to exploit, unlike Password Manager Pro and PAM360 which are vulnerable to unauthenticated RCE.
  • ·Vulnerable version thresholds: Password Manager Pro before 12101, PAM360 before 5510, Access Manager Plus before 4303.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.