Security News > 2022 > September > Critical ManageEngine RCE flaw is being exploited (CVE-2022-35405)
The US Cybersecurity and Infrastructure Security Agency has added CVE-2022-35405, a critical remote code execution vulnerability in ManageEngine PAM360, Password Manager Pro, and Access Manager Plus, to its Known Exploited Vulnerabilities Catalog.
CVE-2022-35405 is a remote code execution vulnerability that can be exploited to execute arbitrary code on affected installations of Password Manager Pro and PAM360 without prior authentication, and on Access Manager Plus with prior authentication.
"We have fixed this vulnerability by completely removing the vulnerable components from PAM360 and Access Manager Plus, and by removing the vulnerable parser from Password Manager Pro," ManageEngine stated in the advisory, and urged administrators to upgrade to a fixed version, as a proof-of-concept exploit was already public.
The vulnerability can be easily exploited and, depending on the targeted application, without requiring attackers to be authenticated and without the need for user interaction.
Under Binding Operational Directive 22-01, all US federal civilian executive branch agencies are required to remediate vulnerabilities in the KEV catalog within specific timeframes.
Vulnerabilities in ManageEngine applications are often taken advantage of by attackers.
News URL
https://www.helpnetsecurity.com/2022/09/23/cve-2022-35405-exploited/
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- HPE warns of critical RCE flaws in Aruba Networking access points (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Veeam warns of critical RCE bug in Service Provider Console (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-07-19 | CVE-2022-35405 | Deserialization of Untrusted Data vulnerability in Zohocorp products Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. | 9.8 |