Zoho has urged its customers to patch a critical ManageEngine security vulnerability affecting multiple products.
The vulnerability is tracked as CVE-2022-47523 an SQL injection bug in the Password Manager Pro secure vault, Access Manager and PAM360 Privileged Access Management Software.
An exploitation of this ManageEngine security vulnerability allows attackers access backend database and execute queries on to table entries.
ManageEngine security advisory mentioned “We identified a SQL injection vulnerability (CVE-2022-47523) in our internal framework that would grant access to all [..] users to the backend database.
Given the severity of this vulnerability, customers are strongly advised to upgrade to the latest build of PAM360, Password Manager Pro and Access Manager Plus immediately.”
ManageEngine has fixed the issue last month with correct validation. To update the installation, please download the latest patch for the product – PAM360, Password Manager Pro, Access Manager Plus.
Once downloaded the patch has to be deployed as per the instructions available on each product update page.
Since the vulnerability is severe, customers are highly recommended to update their build to the latest available version of PAM360, Access Manager Plus and Password Manager Pro ASAP.
| Product Name | Affected Versions | Fixed Version | Fixed On |
| Password Manager Pro | 12200 and below | 12210 | 30-12-2022 |
| PAM360 | 5800 and below | 5801 | 28-12-2022 |
| Access Manager Plus | 4308 and below | 4309 | 29-12-2022 |
Last year, CISA sent a warning on critical ManageEngine bugs that are being exploited in the wild for remote code execution on outdated servers with Access Manager Plus, Password Manager Pro and PAM360.
ManageEngine has several IT products and is currently serving multiple geographic solutions with clients and partners making them a sweet spot for modern cyberattacks. ManageEngine security vulnerability and exploits only make things hassle-free for threat actors.
Starting with Desktop Central a.k.a Endpoint Central now, ServiceDesk Plus, and the above mentioned tools have been targeted for unpatched vulnerabilities in the recent years.
The widespread popularity and availability of servers at a poor security state is the key reason that hackers can easily manipulate and exploit ManageEngine solutions for breaching the network and extracting data. If not patches at the right time the IT teams and MSPs can become victim to a a major cyber incident.
A hacking maneuver of APT27 hacking group was imitated by other threat actors to breach ManageEngine servers last year on August and October.
Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter.
You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.
Explore efficiency with the Top 5 Best Project Management Software – streamline tasks, boost collaboration,…
Explore the top 5 best free antivirus apps for Android smartphones – your essential defense…
Unlocking India's DPDP Act: Your Guide to Rights, Responsibilities, and Top 5 Tools for 2024.…
Uncover insights on advanced features, performance, and user experiences. Discover the top 5 best Data…
Unlock efficient Windows Server patching with insights on top tools and vendors. Streamline your cybersecurity…
Software deployment is the process of rolling out an application, which could occur manually or…