ManageEngine vulnerability posed code injection risk for password management software

guest · Sep 9, 2022

Authentication-free flaw opened the door to a raft of exploits
By Emma Woollacott @EmmaWoollacott - September 9, 2022

A researcher has discovered a vulnerability in ManageEngine that could allow an attacker to execute arbitrary code on affected installations of some of its password and access management tools.

ManageEngine offers enterprise IT management software for service management, operations management, Active Directory, and security, and is used by 280,000 organizations in 190 countries.
Click to expand...

Thanks to the use of a vulnerable version of Apache OFBiz, a Java-based open source enterprise resource planning (ERP) system, remote attackers could have executed arbitrary code on vulnerable installations of Password Manager Pro, access management tool PAM360, and Access Manager Plus, according to GitHub security researcher Alvaro Muñoz.

No authentication would have been needed to exploit this vulnerability in Password Manager Pro or PAM360 products. In the case of Password Manager Pro, an attacker would be able to enter internal networks, compromise data on the server, or crash or shutdown the whole server and applications.
Click to expand...

CVE-2022-35405 Manage engines RCE (Password Manager Pro, PAM360 and Access Manager Plus)

“This remote code execution vulnerability could allow remote attackers to execute arbitrary code on affected installations of Password Manager Pro, PAM360 and Access Manager Plus. Authentication is not required to exploit this vulnerability in Password Manager Pro and PAM360 products.”

First this vulnerability was found in Password Manager Pro, however after the report and disclosure of the Security Fixes it was identified that the vulnerability also existed in PAM360 and Access Manager Plus installations.
Click to expand...

Log in or Sign up

ManageEngine vulnerability posed code injection risk for password management software

guest Guest

Log in or Sign up

ManageEngine vulnerability posed code injection risk for password management software

guest Guest

Useful Searches