Severity : Critical
CVE ID : CVE-2022-35405
This document explains the remote code execution vulnerability identified in the following ManageEngine products,
The complete fix for this is now available in the below versions,
Product Name | Affected Version(s) | Fixed Version(s) | Fixed On |
---|---|---|---|
Access Manager Plus | 4302 and below | 4303 | 24-06-2022 |
Password Manager Pro | 12100 and below | 12101 | 24-06-2022 |
PAM360 | 5500 and below | 5510 | 23-06-2022 |
Impact :
This remote code execution vulnerability could allow remote attackers to execute arbitrary code on affected installations of Password Manager Pro, PAM360 and Access Manager Plus. Authentication is not required to exploit this vulnerability in Password Manager Pro and PAM360 products.
We have fixed this vulnerability,
Caution :
The exploit POC for the above vulnerability is available in public. We strongly recommend our customers to upgrade the instances of Password Manager Pro, PAM360 and Access Manager Plus immediately.
To verify if your installation is affected, please take the following steps:
Reported by Vinicius.
Please contact the product support for further details at the below mentioned email addresses:
Password Manager Pro: passwordmanagerpro-support@manageengine.com
Access Manager Plus: accessmanagerplus-support@manageengine.com
PAM360: pam360-support@manageengine.com