Cyber Resilience

CVE-2022-29081

CriticalPublic PoC

Published: 28 April 2022

Published
28 April 2022
Modified
06 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8803 99.5th percentile
Risk Priority 72 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-29081 is a critical-severity Path Traversal (CWE-22) vulnerability in Zohocorp Manageengine Password Manager Pro. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Zoho ManageEngine Access Manager Plus before version 4302, Password Manager Pro before 12007, and PAM360 before 5401 contain an access-control bypass vulnerability on several REST API endpoints including SSOutAction, SSLAction, LicenseMgr, GetProductDetails, GetDashboard, FetchEvents, and Synchronize. The flaw, tracked as CWE-22, is triggered when an attacker supplies the ../RestAPI substring in requests to those URLs, allowing unauthorized access despite the products' intended controls. The issue carries a CVSS 3.1 score of 9.8 reflecting network-accessible exploitation with no required credentials or user interaction.

An unauthenticated remote attacker can leverage the bypass to reach restricted functionality on the affected REST endpoints, resulting in full compromise of confidentiality, integrity, and availability of the privileged-access management systems.

Vendor advisories at the referenced ManageEngine and Tenable URLs describe the affected builds and direct administrators to apply the fixed releases (Access Manager Plus 4302, Password Manager Pro 12007, and PAM360 5401) to close the exposure. The associated EPSS score stands at 0.8803 with no material post-disclosure climb from a lower baseline.

EU & UK References

Vulnerability details

Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zohocorp
manageengine access manager plus
4.0, 4.1, 4.2, 4.3
zohocorp
manageengine pam360
4.0, 4.1, 4.5, 5.0, 5.1
zohocorp
manageengine password manager pro
10.1, 10.2, 10.3, 10.4, 11.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References