CISA (the Cybersecurity and Infrastructure Security Agency) recently added CVE-2022-35405—a remote code execution(RCE) vulnerability affecting Zoho ManageEngine PAM360 (versions 5500 and earlier), Password Manager Pro (versions 12100 and earlier), and Access Manager Plus (versions 4302 and earlier)—to its Known Exploited Vulnerabilities (KEV) Catalog, a list of known CVEs that carry significant risk to the federal enterprise. Doing this forces all Federal Civilian Executive Branch Agencies (FCEB) to patch this bug.
According to BleepingComputer, federal agencies that may be affected by CVE-2022-35405 have until October 13 to ensure they're patched and their networks are protected from attacks leveraging this vulnerability.
CVE-2022-35405 is a critical vulnerability. When exploited, attackers can execute potentially malicious code on affected installations of ManageEngine software—without authentication for Password Manager Pro and PAM360, and with authentication for Access Manager Plus.
Researcher Vinicius Pereira first flagged this vulnerability in June 2022. Since then, several PoCs (proofs-of-concepts) and a Metasploit module for it have been made public.
ManageEngine "strongly recommends" that its clients upgrade their affected software as soon as possible. The company pointed to the following locations where customers can download updates:
- Access Manager Plus - https://www.manageengine.com/privileged-session-management/upgradepack.html
- PAM360 - https://www.manageengine.com/privileged-access-management/upgradepack.html
- Password Manager Pro - https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html
While private organizations don't have a ruling requiring them to patch noteworthy flaws, CISA still urges them to patch as soon as they can.