CVE-2022-35405: Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
First published: Tue Jul 19 2022(Updated: )
Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability that allows for remote code execution.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zoho ManageEngine | ||
| Zohocorp Manageengine Access Manager Plus | <4.3 | |
| Zohocorp Manageengine Access Manager Plus | =4.3-build4300 | |
| Zohocorp Manageengine Access Manager Plus | =4.3-build4301 | |
| Zohocorp Manageengine Access Manager Plus | =4.3-build4302 | |
| Zohocorp ManageEngine PAM360 | <5.5 | |
| Zohocorp ManageEngine PAM360 | =5.5-build5500 | |
| Zohocorp Manageengine Password Manager Pro | <12.1 | |
| Zohocorp Manageengine Password Manager Pro | =12.1-build12100 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/167918/Zoho-Password-Manager-Pro-XML-RPC-Java-Deserialization.html
- https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html
- https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html;
- https://nvd.nist.gov/vuln/detail/CVE-2022-35405
Frequently Asked Questions
What is CVE-2022-35405?
CVE-2022-35405 is a vulnerability in Zoho ManageEngine Password Manager Pro and PAM360 that allows unauthenticated remote code execution.
What is the severity of CVE-2022-35405?
CVE-2022-35405 has a severity rating of 9.8 out of 10, which is considered critical.
Which Zoho products are affected by CVE-2022-35405?
CVE-2022-35405 affects Zoho ManageEngine Password Manager Pro, PAM360, and Access Manager Plus.
How can an attacker exploit CVE-2022-35405?
An attacker can exploit CVE-2022-35405 by sending a specially crafted request to the vulnerable Zoho ManageEngine products, allowing them to execute remote code without authentication.
Where can I find more information about CVE-2022-35405?
You can find more information about CVE-2022-35405 at the following references: [Packet Storm Security](http://packetstormsecurity.com/files/167918/Zoho-Password-Manager-Pro-XML-RPC-Java-Deserialization.html), [ManageEngine Advisory](https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html).
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- agent/title
- agent/severity
- agent/remedy
- agent/weakness
- agent/description
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/references
- agent/author
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-cve
- source/NVD
- vendor/zoho
- canonical/zoho manageengine
- vendor/zohocorp
- canonical/zohocorp manageengine access manager plus
- version/zohocorp manageengine access manager plus/4.3-build4300
- version/zohocorp manageengine access manager plus/4.3-build4301
- version/zohocorp manageengine access manager plus/4.3-build4302
- canonical/zohocorp manageengine pam360
- version/zohocorp manageengine pam360/5.5-build5500
- canonical/zohocorp manageengine password manager pro
- version/zohocorp manageengine password manager pro/12.1-build12100