Business software provider Zoho has urged customers to patch a high-severity security flaw affecting multiple ManageEngine products.
The bug, tracked as CVE-2022-47523, is an SQL injection vulnerability found in the company’s Password Manager Pro secure vault, PAM360 privileged access management software, and Access Manager Plus privileged session management solution.
Successful exploitation provides authenticated attackers with access to the backend database and allows them to execute custom queries to access database table entries.
“We identified a SQL injection vulnerability (CVE-2022-47523) in our internal framework that would grant access to all [..] users to the backend database,” Zoho said.
The company added that “given the severity of this vulnerability, customers are strongly advised to upgrade to the latest build of PAM360, Password Manager Pro and Access Manager Plus immediately.”
Zoho says it fixed the issue last month by escaping special characters and adding proper validation.
To upgrade your installation, you should first download the latest upgrade pack for your product (PAM360, Password Manager Pro, Access Manager Plus).
The next step is to deploy the latest build according to the upgrade instructions available on each product’s Upgrade Pack page.
| Product Name | Affected Versions | Fixed Version | Fixed On |
| Password Manager Pro | 12200 and below | 12210 | 30-12-2022 |
| PAM360 | 5800 and below | 5801 | 28-12-2022 |
| Access Manager Plus | 4308 and below | 4309 | 29-12-2022 |
In September, CISA warned of another critical ManageEngine vulnerability (CVE-2022-35405) exploited in attacks to gain remote code execution on unpatched servers running PAM360, Access Manager Plus, and Password Manager Pro.
U.S. Federal Civilian Executive Branch Agencies (FCEB) agencies were given three weeks to patch vulnerable systems and ensure their networks would be protected from exploitation attempts.
Zoho ManageEngine servers have been under constant targeting in recent years, with Desktop Central instances, for instance, getting hacked and access to breached organizations’ networks sold on hacking forums starting in July 2020.
Between August and October 2021, nation-state hackers have also targeted ManageEngine servers using tactics and tooling similar to those of the Chinese-linked APT27 hacking group.
Following these extensive attack campaigns, the FBI and CISA issued two joint advisories [1, 2] warning of state-sponsored attackers exploiting ManageEngine bugs to backdoor the networks of critical infrastructure organizations.
Update January 05, 15:30 EST: Article and title revised after Zoho downgraded the flaw’s severity rating from Critical to High.
“Unfortunately, our team had incorrectly marked the severity of the vulnerability as ‘Critical’ in one of our advisory posts and stated that the vulnerability could allow unauthenticated access to the database,” a Zoho spokesperson told BleepingComputer.
“The vulnerability could only be exploited by an authenticated user and the severity of the issue is ‘High’. We have updated our advisory posts to reflect this information.”
