Zoho has urged its customers to patch a critical ManageEngine security vulnerability affecting multiple products.
The vulnerability is tracked as CVE-2022-47523 an SQL injection bug in the Password Manager Pro secure vault, Access Manager and PAM360 Privileged Access Management Software.
An exploitation of this ManageEngine security vulnerability allows attackers access backend database and execute queries on to table entries.
ManageEngine security advisory mentioned “We identified a SQL injection vulnerability (CVE-2022-47523) in our internal framework that would grant access to all [..] users to the backend database.
Given the severity of this vulnerability, customers are strongly advised to upgrade to the latest build of PAM360, Password Manager Pro and Access Manager Plus immediately.”
ManageEngine has fixed the issue last month with correct validation. To update the installation, please download the latest patch for the product – PAM360, Password Manager Pro, Access Manager Plus.
Once downloaded the patch has to be deployed as per the instructions available on each product update page.
Since the vulnerability is severe, customers are highly recommended to update their build to the latest available version of PAM360, Access Manager Plus and Password Manager Pro ASAP.
| Product Name | Affected Versions | Fixed Version | Fixed On |
| Password Manager Pro | 12200 and below | 12210 | 30-12-2022 |
| PAM360 | 5800 and below | 5801 | 28-12-2022 |
| Access Manager Plus | 4308 and below | 4309 | 29-12-2022 |
Last year, CISA sent a warning on critical ManageEngine bugs that are being exploited in the wild for remote code execution on outdated servers with Access Manager Plus, Password Manager Pro and PAM360.
ManageEngine has several IT products and is currently serving multiple geographic solutions with clients and partners making them a sweet spot for modern cyberattacks. ManageEngine security vulnerability and exploits only make things hassle-free for threat actors.
Starting with Desktop Central a.k.a Endpoint Central now, ServiceDesk Plus, and the above mentioned tools have been targeted for unpatched vulnerabilities in the recent years.
The widespread popularity and availability of servers at a poor security state is the key reason that hackers can easily manipulate and exploit ManageEngine solutions for breaching the network and extracting data. If not patches at the right time the IT teams and MSPs can become victim to a a major cyber incident.
A hacking maneuver of APT27 hacking group was imitated by other threat actors to breach ManageEngine servers last year on August and October.
Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter.
You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.
Explore the top 5 best Microsoft Intune alternatives, comparing key features, user reviews, and capabilities…
Discover the top 7 smartphones of 2024 with best security features, offering privacy, performance, and…
Discover the top 11 log management tools for efficient system management and monitoring. Learn about…
Explore the top 5 threat intelligence tools, their features, and how they enhance cybersecurity against…
Explore the top 5 best PAM Tools, market trends, and expert insights to secure the…
Explore the top solutions for Apple Device Management including to iOS Device Management and macOS…