Enterprise software vendor Zoho has urged customers to patch a critical security flaw affecting multiple ManageEngine products.
“This security advisory is to inform you that a critical security vulnerability has been detected,” says Zoho warned Monday.
The bug, identified as CVE-2022-47523, is an SQL injection vulnerability found in the company’s secure Password Manager Pro vault, privileged access management software PAM360 and privileged session management solution Access Manager Plus.
Successful exploitation provides attackers unauthenticated access to the main database and allows them to run custom queries to access database table entries.
“We have identified an SQL injection vulnerability (CVE-2022-47523) in our internal framework that would grant everyone [..] users have unauthenticated access to the backend database,” Zoho said.
The company added that “given the severity of this vulnerability, customers are strongly advised to immediately upgrade to the latest version of PAM360, Password Manager Pro and Access Manager Plus”.
Zoho says it fixed the problem last month by escaping special characters and adding proper validation.
The next step is to deploy the latest version according to the upgrade instructions available on each product’s upgrade package page.
|Product Name||Affected Versions||Fixed version||Fixed on|
|Password Manager Pro||12200 and under||12210||30-12-2022|
|PAM360||5800 and under||5801||28-12-2022|
|Access Manager More||4308 and below||4309||29-12-2022|
In September, CISA warned of another critical ManageEngine vulnerability (CVE-2022-35405) exploited in attacks to achieve remote code execution on unpatched servers running PAM360, Access Manager Plus and Password Manager Pro.
US Federal Civilian Executive Branch (FCEB) agencies were given three weeks to patch vulnerable systems and ensure their networks would be protected against exploit attempts.
Zoho ManageEngine servers have been constantly targeted in recent years, with Desktop Central instances, for example, hacked and accessing hacked organization networks sold on hacking forums from July 2020.
Between August and October 2021, nation-state hackers have also targeted ManageEngine servers using similar tactics and tools as the China-linked APT27 hacking group.
Following these extensive attack campaigns, the FBI and CISA issued two joint notices [1, 2] warning of state-sponsored attackers exploiting ManageEngine bugs to hijack networks of critical infrastructure organizations.