Business software provider Zoho has urged customers to patch a critical security flaw affecting multiple ManageEngine products.
“This security advisory is to let you know that a critical security vulnerability was detected,” Zoho warned on Monday.
The bug, tracked as CVE-2022-47523, is an SQL injection vulnerability found in the company’s Password Manager Pro secure vault, PAM360 privileged access management software, and Access Manager Plus privileged session management solution.
Successful exploitation provides attackers with unauthenticated access to the backend database and allows them to execute custom queries to access database table entries.
“We identified a SQL injection vulnerability (CVE-2022-47523) in our internal framework that would grant all [..] users unauthenticated access to the backend database,” Zoho said.
The company added that “given the severity of this vulnerability, customers are strongly advised to upgrade to the latest build of PAM360, Password Manager Pro and Access Manager Plus immediately.”
Zoho says it fixed the issue last month by escaping special characters and adding proper validation.
To upgrade your installation, you should first download the latest upgrade pack for your product (PAM360, Password Manager Pro, Access Manager Plus).
The next step is to deploy the latest build according to the upgrade instructions available on each product’s Upgrade Pack page.
Product Name
Affected Versions
Fixed Version
Fixed On
Password Manager Pro
12200 and below
12210
30-12-2022
PAM360
5800 and below
5801
28-12-2022
Access Manager Plus
4308 and below
4309
29-12-2022
In September, CISA warned of another critical ManageEngine vulnerability (CVE-2022-35405) exploited in attacks to gain remote code execution on unpatched servers running PAM360, Access Manager Plus, and Password Manager Pro.
U.S. Federal Civilian Executive Branch Agencies (FCEB) agencies were given three weeks to patch vulnerable systems and ensure their networks would be protected from exploitation attempts.
Zoho ManageEngine servers have been under constant targeting in recent years, with Desktop Central instances, for instance, getting hacked and access to breached organizations’ networks sold on hacking forums starting in July 2020.
Between August and October 2021, nation-state hackers have also targeted ManageEngine servers using tactics and tooling similar to those of the Chinese-linked APT27 hacking group.
Following these extensive attack campaigns, the FBI and CISA issued two joint advisories [1, 2] warning of state-sponsored attackers exploiting ManageEngine bugs to backdoor the networks of critical infrastructure organizations.