Privilege Escalation Vulnerability

This document addresses a privilege escalation vulnerability identified in ManageEngine Remote Access Plus.

Update Released Build: 10.1.2137.10
Update Released Date: January 25, 2022

What was the problem?

A privilege escalation vulnerability in Remote Access Plus was identified which may allow an authenticated web user to change passwords of a more privileged web account. This has now been fixed and released on January 25, 2022 and the mitigation is available in build 10.1.2137.10.

How do I fix it?

Please upgrade to the latest build 10.1.2137.10 as normally done. You can visit our service packs page and download the latest build. Alternatively, you can also follow the below steps:

Login to your Remote Access Plus console, click on your current build number on the top right corner.
You'll be able to find the latest build applicable to you. Download the PPM and update.

Note: This vulnerability is not applicable for Remote Access Plus Cloud.

Help

For any further queries on this, please reach out to Remote Access Plus support at remoteaccessplus-support@manageengine.com.