The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2022-35405, a critical remote code execution vulnerability in ManageEngine PAM360, Password Manager Pro, and Access Manager Plus, to its Known Exploited Vulnerabilities (KEV) Catalog.
The details of in-the-wild exploitation of the flaw aren’t available – though, according to data collected by Greynoise, exploitation attempts don’t seem widespread.
CVE-2022-35405 is a remote code execution vulnerability that can be exploited to execute arbitrary code on affected installations of Password Manager Pro and PAM360 without prior authentication, and on Access Manager Plus with prior authentication.
- Password Manager Pro versions 12100 and below
- PAM360 versions 5500 and below
- Access Manager Plus versions 4302 and below
Fixes for the vulnerability were released in late June. “We have fixed this vulnerability by completely removing the vulnerable components from PAM360 and Access Manager Plus, and by removing the vulnerable parser from Password Manager Pro,” ManageEngine stated in the advisory, and urged administrators to upgrade to a fixed version, as a proof-of-concept exploit was already public.
Since then, other PoCs have been released – including one by Vinicius Pereira, the researcher who flagged it in the first place – and a Metasploit module.
More details about the vulnerability can be found in Pereira’s blog post.
The vulnerability can be easily exploited and, depending on the targeted application, without requiring attackers to be authenticated and without the need for user interaction.
Under Binding Operational Directive (BOD) 22-01, all US federal civilian executive branch agencies are required to remediate vulnerabilities in the KEV catalog within specific timeframes.
But “CISA strongly recommends all organizations review and monitor the KEV catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors.”
Vulnerabilities in ManageEngine applications are often taken advantage of by attackers.
If they haven’t already, enterprise admins should upgrade their solutions to a fixed version. ManageEngine advises those whose machine has been compromised to disconnect and isolate it, and to create a zip file containing application logs and send them to the company’s support team.