ManageEngine PAM360, Password Manager Pro, and Access Manager Plus remote code execution vulnerability

ManageEngine PAM360, Password Manager Pro, and Access Manager Plus remote code execution vulnerability

Severity : Critical

CVE ID : CVE-2022-35405

This document explains the remote code execution vulnerability identified in the following ManageEngine products,

  1. Unauthenticated remote code execution in ManageEngine Password Manager Pro and PAM360.
  2. Authenticated remote code execution in ManageEngine Access Manager Plus.

The complete fix for this is now available in the below versions,

Product Name Affected Version(s) Fixed Version(s) Fixed On
Access Manager Plus 4302 and below 4303 24-06-2022
Password Manager Pro 12100 and below 12101 24-06-2022
PAM360 5500 and below 5510 23-06-2022

Impact :
This remote code execution vulnerability could allow remote attackers to execute arbitrary code on affected installations of Password Manager Pro, PAM360 and Access Manager Plus. Authentication is not required to exploit this vulnerability in Password Manager Pro and PAM360 products.

We have fixed this vulnerability,

Caution :
The exploit POC for the above vulnerability is available in public. We strongly recommend our customers to upgrade the instances of Password Manager Pro, PAM360 and Access Manager Plus immediately.

Steps to Upgrade:

  1. Download the latest upgrade pack from the following links for the respective product:
  2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Acknowledgements:

Reported by Vinicius.

Please contact the product support for further details at the below mentioned email addresses:

Password Manager Pro: passwordmanagerpro-support@manageengine.com

Access Manager Plus: accessmanagerplus-support@manageengine.com

PAM360: pam360-support@manageengine.com

Get
Quote
Technical Support Request Demo