A Zoho ManageEngine vulnerability has been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) known exploited vulnerabilities catalog last week. This remote code execution (RCE) vulnerability affects Password Manager Pro versions 12100 and below, Access Manager Plus versions 4302 and below, and PAM360 versions 5500 and below. Proof of concept (POC) code for an exploit of this vulnerability and a Metasploit module are available publicly online, so all unpatched versions of ManageEngine software should be upgraded immediately. Patches for all affected versions have been released earlier this year. 

The vulnerability tracked as CVE-2022-35405 has been given a critical severity rating, and a CVSS base score of 9.8/10. An exploit of this vulnerability would allow an attacker to execute code remotely without the need for authentication in Password Manager Pro and PAM360 products. For an exploit in Access Manager Plus, the attacker must first be authenticated before RCE can take place. The attack takes advantage of a Java deserialisation flaw, a process in which a modified serialised object is inserted into the code to manipulate the system into recreating this Java object in the memory instead of the unmodified version. Attackers do this by sending an XML-RPC request to /xmlrpc, which results in them gaining the ability to perform RCE as a SYSTEM user. 

In a product advisory released by ManageEngine, users are advised to upgrade their products to the latest versions to prevent falling victim to this exploit. The new versions of PAM360 and Access Manager Plus no longer contain the vulnerable components, and the fixed Password Manager Pro has had the vulnerable parser removed. If you believe that your device has been compromised, the machine should be immediately disconnected and isolated. A zip file then needs to be created that contains all the application logs, which can be sent to ManageEngine’s product support team to report the issue.