Business software provider Zoho has urged customers to patch a critical security vulnerability affecting multiple ManageEngine products.
The flaw, tracked as CVE-2022-47523, is an SQL injection vulnerability found in the company’s Password Manager Pro secure vault, PAM360 privileged access management software, and Access Manager Plus privileged session management solution.
Following successful exploitation, the security bug provides attackers with unauthenticated access to the backend database and allows them to execute custom queries to access database table entries.
“We identified a SQL injection vulnerability (CVE-2022-47523) in our internal framework that would grant all [..] users unauthenticated access to the backend database,” Zoho said.
The company added that “given the severity of this vulnerability, customers are strongly advised to upgrade to the latest build of PAM360, Password Manager Pro and Access Manager Plus immediately.”
Zoho says it fixed the issue last month by escaping special characters and adding proper validation.
To upgrade your installation, you should first download the latest upgrade pack for your product (PAM360, Password Manager Pro, Access Manager Plus).
The next step is to deploy the latest build according to the upgrade instructions available on each product’s Upgrade Pack page.
| Product Name | Affected Versions | Fixed Version | Fixed On |
| Password Manager Pro | 12200 and below | 12210 | 30-12-2022 |
| PAM360 | 5800 and below | 5801 | 28-12-2022 |
| Access Manager Plus | 4308 and below | 4309 | 29-12-2022 |
In September, CISA warned of another critical ManageEngine vulnerability (CVE-2022-35405) exploited in attacks to gain remote code execution on unpatched servers running PAM360, Access Manager Plus, and Password Manager Pro.
U.S. Federal Civilian Executive Branch Agencies (FCEB) agencies were given three weeks to patch vulnerable systems and ensure their networks would be protected from exploitation attempts.
Zoho ManageEngine servers have been under constant targeting in recent years, with Desktop Central instances, for instance, getting hacked and access to breached organizations’ networks sold on hacking forums starting in July 2020.
Between August and October 2021, nation-state hackers have also targeted ManageEngine servers using tactics and tooling similar to those of the Chinese-linked APT27 hacking group.
Following these extensive attack campaigns, the FBI and CISA issued two joint advisories [1, 2] warning of state-sponsored attackers exploiting ManageEngine bugs to backdoor the networks of critical infrastructure organizations.