External risk intelligence

Zoho ManageEngine Remote Code Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2022-35405

Zoho ManageEngine Password Manager Pro and PAM360 are affected by a flaw allowing unauthenticated remote code execution. This presents a risk of unauthorized system control, potentially leading to data compromise or operational disruption. Organizations should identify and mitigate exposure.

5Halo Surface Signal

Deserialization

Zohocorp Manageengine Access Manager Plus

before 4.34.3before 5.55.5before 12.112.1

External exposure likelihood

Halo Surface Signal score for CVE-2022-35405

The affected products are privileged access management and password management solutions. These are designed to be centrally managed, often reachable via web interfaces, and are frequently deployed in environments where they must be accessible to users and systems across a network, making them highly prone to being exposed on the internet or at the network edge.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

Zoho ManageEngine products, specifically Password Manager Pro and PAM360, contain a core flaw that permits unauthenticated remote code execution. This vulnerability could allow unauthorized actors to execute arbitrary code on affected systems. The primary business risk stems from the potential for attackers to gain control over these systems, leading to data breaches or operational disruptions.

  • Vulnerable Zoho ManageEngine products
  • Unauthenticated remote code execution
  • Compromised systems and data

Attack Path

How an attacker could exploit the issue

This vulnerability allows an unauthenticated attacker to execute arbitrary code on the affected systems. Attackers can exploit this by sending specially crafted data to the application's XML-RPC interface. Successful exploitation could lead to a complete compromise of the affected server, impacting the confidentiality, integrity, and availability of business systems and data.

  • Publicly accessible systems
  • Remote attacker
  • Trigger code execution, gain control

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk, as it allows for unauthenticated remote code execution. Attackers with a moderate level of skill could potentially exploit this flaw to gain unauthorized access and execute malicious code on affected systems. The business risk is high, suggesting urgent attention is required.

  • Likely attacker skill level: Moderate
  • Required access or conditions: Network accessible
  • Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows for unauthenticated remote code execution, posing a significant risk to affected organizations. Successful exploitation could lead to unauthorized access and control over critical systems and sensitive data. Immediate action is required to identify and mitigate potential exposure.

  • Find exposed instances of affected products.
  • Reduce exposure or isolate risk.
  • Apply vendor fixes and validate.
  • Monitor for related issues.

Frequently asked questions

What is Zoho ManageEngine Password Manager Pro?

Zoho ManageEngine Password Manager Pro is a software solution used for managing and securing passwords and other sensitive credentials within an organization. It helps to centralize password storage, enforce password policies, and provide secure access to shared accounts.

What is CWE-502 in CVE-2022-35405?

In CVE-2022-35405, the weakness identified is CWE-502, which stands for Deserialization of Untrusted Data. This means the software improperly processes serialized data received from an untrusted source, potentially allowing an attacker to execute arbitrary code.

How can an attacker exploit CVE-2022-35405?

An attacker can exploit this vulnerability by sending specially crafted data to the application's XML-RPC interface. The software processes this data without proper validation, leading to the execution of arbitrary code. This exploit does not require the attacker to have any prior authentication.

Who should care about this Zoho ManageEngine vulnerability?

Organizations using Zoho ManageEngine Password Manager Pro or PAM360 should care. These products are often internet-facing or accessible across a network, making them highly likely to be exposed to potential threats. [cite:haloSurfaceSignal]

What is the first step to address this threat?

The first step is to identify any instances of the affected Zoho ManageEngine products within your environment that might be exposed. Once identified, focus on reducing their exposure or isolating them from the network while planning to apply vendor-provided fixes.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified