CVE-2022-35405
Published: 19 July 2022
Summary
CVE-2022-35405 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Zohocorp Manageengine Access Manager Plus. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Zoho ManageEngine Password Manager Pro versions prior to 12101 and PAM360 versions prior to 5510 contain an unauthenticated remote code execution vulnerability stemming from unsafe deserialization of untrusted data (CWE-502). The same issue affects ManageEngine Access Manager Plus before version 4303, although that product requires authentication for exploitation. The flaw carries a CVSS 3.1 score of 9.8 and resides in the XML-RPC handling path of these password and privileged-access management products.
An unauthenticated remote attacker can submit a crafted XML-RPC request that triggers Java deserialization, resulting in arbitrary code execution on the server. Successful exploitation grants the attacker full confidentiality, integrity, and availability impact without any user interaction or prior credentials.
Vendor advisories from ManageEngine direct customers to upgrade Password Manager Pro to 12101 or later, PAM360 to 5510 or later, and Access Manager Plus to 4303 or later. Public exploit code targeting the deserialization vector has been published, and the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog.
The associated EPSS score reached a peak of 0.9753 and currently stands at 0.9420, indicating sustained and substantial exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-38295
Vulnerability details
Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)
- CWE(s)
- KEV Date Added
- 22 September 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor-supplied patches (12101/5510/4303) that eliminate the deserialization flaw before exploitation can occur.
Mandates validation of all input (including XML-RPC payloads) to reject malicious serialized Java objects that trigger unauthenticated RCE.
Requires integrity checks on software and incoming data to detect or block unauthorized code introduced via the deserialization vector.