CVE-2022-35405
CVE-2022-35405
In short
Zoho ManageEngine Password Manager Pro and PAM360 allow attackers to run malicious code on the server without needing to log in. This is critical because these tools protect sensitive passwords and access credentials, so compromising them puts all protected accounts at risk.
Technical detail
CWE-502 deserialization vulnerability enables unauthenticated remote code execution in Password Manager Pro (<12101) and PAM360 (<5510) through untrusted object deserialization. Attack vector is network-based with no authentication required; exploitation results in complete server compromise with root privileges.
Summary generated and translated by AI from the official description.
Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 2
githubgithub.com/viniciuspereiras/CVE-2022-35405★ 31cve_referencepacketstormsecurity.com/files/167918/Zoho-Password-Manager-Pro-XML-RPC-Java-Deserialization.htmlunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →