The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical Java deserialisation bug affecting multiple Zoho ManageEngine products to its Known Exploited Vulnerabilities (KEV) catalogue and warned that the flaw has been actively exploited in attacks.
The flaw, identified as CVE-2022-35405, is a Java deserialization flaw that has been exploited in the wild and has a 9.8 CVSS score.
Affected products and versions are listed below:
- PAM360 – 5500 and prior
- Access Manager Plus – 4302 and prior
- Password Manager Pro – 12100 and prior
A successful attack would enable threat actors to achieve RCE on servers running unpatched Zoho ManageEngine PAM360, Password Manager Pro or Access Manager Plus software.
According to ManageEngine, authentication is not required to exploit the vulnerability in Password Manager Pro and PAM360 products.
According to ManageEngine, the vulnerability is resolved by:
Although BOD 22-01 (Binding Operational Directive) only applies to FCEB agencies in the United States, CISA asked other businesses and government agencies worldwide to prioritize correcting this vulnerability.
CISA strongly encourages all organisations to reduce their exposure to cyberattacks by prioritising the timely remediation of KEV catalogue vulnerabilities as part of their vulnerability management practice, despite BOD 22-01 only applying to FCEB agencies.
- removing all susceptible components from Access Manager Plus and PAM360
- removing the vulnerable parsers from Password Manager Pro
Check the advisory for further information and to get in touch with product support.
To update, download the most recent upgrade pack for the relevant product: