A critical SQL injection vulnerability has been identified in multiple Zoho ManageEngine products. Zoho is urging all business users of the affected software solutions to patch the vulnerability immediately to prevent exploitation. The patch adds proper validation and escaping special characters to prevent the vulnerability from being exploited.
The vulnerability is tracked as CVE-2022-47523 and affects its Password Manager Pro, PAM360, and Access Manager Plus solutions. If exploited, an adversary would be able to execute custom queries and access the database table entries using the vulnerable request. Palo Alto Networks reports that there are currently around 11,000 Internet-exposed servers running the affected Zoho software that could potentially be attacked.
| Product Name | Affected Version(s) | Fixed Version(s) | Fixed On |
| Password Manager Pro | 12200 and below | 12210 | 30-12-2022 |
| PAM360 | 5800 and below | 5801 | 28-12-2022 |
| Access Manager Plus | 4308 and below | 4309 | 29-12-2022 |
Exact details of the nature of the vulnerability have not been released. At present, the vulnerability is not believed to have been exploited in the wild and a proof-of-concept exploit is not in the public domain, but the affected products have been targeted by cyber threat actors in the past so exploitation of the flaw is likely.
State-sponsored threat actors have previously targeted critical infrastructure organizations that use these products. Last year, the CVE-2022-35405 ManageEngine vulnerability was exploited to achieve remote code execution on vulnerable servers running ManageEngine Password Manager Pro, PAM360, and Access Manager Plus. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the United States Coast Guard Cyber Command (CGCYBER) issued a warning that the critical ManageEngine flaw was being exploited in the wild, most likely by the Chinese APT27 hacking group, with global telemetry indicating at least 370 servers had been compromised by exploiting the flaw at the time the alert was issued.
“Given the severity of this vulnerability, customers are strongly advised to upgrade to the latest build of PAM360, Password Manager Pro and Access Manager Plus immediately,” explained Zoho in its security alert.