Enterprise software vendor Zoho has urged customers to patch a high-severity security flaw affecting multiple ManageEngine products.
The bug, identified as CVE-2022-47523, is an SQL injection vulnerability found in the company’s secure Password Manager Pro vault, privileged access management software PAM360 and privileged session management solution Access Manager Plus.
A successful exploit provides authenticated attackers with access to the backend database and allows them to run custom queries to access database table entries.
“We have identified an SQL injection vulnerability (CVE-2022-47523) in our internal framework that would grant access to all [..] users to the main database”, Zoho said.
The company added that “given the severity of this vulnerability, customers are strongly advised to immediately upgrade to the latest version of PAM360, Password Manager Pro and Access Manager Plus”.
Zoho says it fixed the problem last month by escaping special characters and adding proper validation.
To upgrade your installation, you must first download the latest upgrade package for your product (PAM360, Password Manager Pro, Access Manager More).
The next step is to deploy the latest version according to the upgrade instructions available on each product’s upgrade package page.
|Product Name||Affected Versions||Fixed version||Fixed on|
|Password Manager Pro||12200 and under||12210||30-12-2022|
|PAM360||5800 and under||5801||28-12-2022|
|Access Manager More||4308 and below||4309||29-12-2022|
In September, CISA warned of another critical ManageEngine vulnerability (CVE-2022-35405) exploited in attacks to achieve remote code execution on unpatched servers running PAM360, Access Manager Plus and Password Manager Pro.
US Federal Civilian Executive Branch (FCEB) agencies were given three weeks to patch vulnerable systems and ensure their networks would be protected against exploit attempts.
Zoho ManageEngine servers have been constantly targeted in recent years, with Desktop Central instances, for example, hacked and accessing hacked organization networks sold on hacking forums from July 2020.
Between August and October 2021, nation-state hackers have also targeted ManageEngine servers using similar tactics and tools as the China-linked APT27 hacking group.
Following these extensive attack campaigns, the FBI and CISA issued two joint notices [1, 2] warning of state-sponsored attackers exploiting ManageEngine bugs to hijack networks of critical infrastructure organizations.
Updated January 05, 3:30 p.m. EST: Article and title revised after Zoho downgraded the severity rating of the flaw from critical to high.
“Unfortunately, our team had incorrectly marked the severity of the vulnerability as ‘Critical’ in one of our advisory posts and stated that the vulnerability could allow unauthenticated database access,” a spokesperson said. from Zoho to BleepingComputer.
“The vulnerability can only be exploited by an authenticated user and the severity of the issue is ‘high’. We have updated our advisory messages to reflect this information.”