Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2022-35405
CVE-2022-35405:
Zoho ManageEngine Access Manager Plus vulnerability analysis and mitigation
Overview
Zoho ManageEngine Password Manager Pro before version 12101 and PAM360 before version 5510 were discovered to be vulnerable to unauthenticated remote code execution (CVE-2022-35405). The vulnerability also affected ManageEngine Access Manager Plus before version 4303, though in this case authentication was required. The issue was discovered by Vinicius and was publicly disclosed in July 2022 (NVD, ManageEngine Advisory).
Technical details
The vulnerability involves an XML-RPC deserialization issue that can be exploited by sending a specially crafted POST request to the /xmlrpc endpoint. The exploit doesn't require a valid method name or parameter, only that the parameter value is marked as a serializable object using Base64 encoding. The vulnerability can be confirmed by sending an empty string to the endpoint, which responds with 'Failed to read result object: null' if vulnerable. The exploit utilizes the CommonsBeanutils1 deserialization chain to execute arbitrary commands (AttackerKB).
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on affected installations of Password Manager Pro, PAM360, and Access Manager Plus. For Password Manager Pro and PAM360, no authentication is required, and exploitation results in SYSTEM-level access. Given these products' role in managing access and storing passwords, compromise could lead to further network penetration and access to sensitive resources (ManageEngine Advisory).
Mitigation and workarounds
ManageEngine has released patches for all affected products: Password Manager Pro version 12101, PAM360 version 5510, and Access Manager Plus version 4303. The vulnerability was fixed by completely removing the vulnerable components from PAM360 and Access Manager Plus, and by removing the vulnerable parser from Password Manager Pro. Organizations are strongly recommended to upgrade their installations immediately. To verify if an installation is compromised, administrators can check for '/xmlrpc POST' entries in the accesslog.txt file (ManageEngine Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management