ManageEngine PAM360, Password Manager Pro, and Access Manager Plus remote code execution vulnerability

Severity : Critical

CVE ID : CVE-2022-35405

This document explains the remote code execution vulnerability identified in the following ManageEngine products,

1. Unauthenticated remote code execution in ManageEngine Password Manager Pro and PAM360.
2. Authenticated remote code execution in ManageEngine Access Manager Plus.

The complete fix for this is now available in the below versions,

Impact :
This remote code execution vulnerability could allow remote attackers to execute arbitrary code on affected installations of Password Manager Pro, PAM360 and Access Manager Plus. Authentication is not required to exploit this vulnerability in Password Manager Pro and PAM360 products.

We have fixed this vulnerability,

• By completely removing the vulnerable components from PAM360 and Access Manager Plus.
• By removing the vulnerable parser from Password Manager Pro.

Caution :
The exploit POC for the above vulnerability is available in public. We strongly recommend our customers to upgrade the instances of Password Manager Pro, PAM360 and Access Manager Plus immediately.

Steps to Upgrade:

1. Download the latest upgrade pack from the following links for the respective product:
   • PAM360 - https://www.manageengine.com/privileged-access-management/upgradepack.html
   • Password Manager Pro - https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html
   • Access Manager Plus - https://www.manageengine.com/privileged-session-management/upgradepack.html
2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Acknowledgements:

Reported by Vinicius.

Please contact the product support for further details at the below mentioned email addresses:

Password Manager Pro: passwordmanagerpro-support@manageengine.com

Access Manager Plus: accessmanagerplus-support@manageengine.com

PAM360: pam360-support@manageengine.com