Cyber Resilience

CVE-2022-35405

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 19 July 2022

Published
19 July 2022
Modified
31 October 2025
KEV Added
22 September 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9420 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-35405 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Zohocorp Manageengine Access Manager Plus. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Zoho ManageEngine Password Manager Pro versions prior to 12101 and PAM360 versions prior to 5510 contain an unauthenticated remote code execution vulnerability stemming from unsafe deserialization of untrusted data (CWE-502). The same issue affects ManageEngine Access Manager Plus before version 4303, although that product requires authentication for exploitation. The flaw carries a CVSS 3.1 score of 9.8 and resides in the XML-RPC handling path of these password and privileged-access management products.

An unauthenticated remote attacker can submit a crafted XML-RPC request that triggers Java deserialization, resulting in arbitrary code execution on the server. Successful exploitation grants the attacker full confidentiality, integrity, and availability impact without any user interaction or prior credentials.

Vendor advisories from ManageEngine direct customers to upgrade Password Manager Pro to 12101 or later, PAM360 to 5510 or later, and Access Manager Plus to 4303 or later. Public exploit code targeting the deserialization vector has been published, and the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog.

The associated EPSS score reached a peak of 0.9753 and currently stands at 0.9420, indicating sustained and substantial exploitation interest following disclosure.

EU & UK References

Vulnerability details

Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)

CWE(s)
KEV Date Added
22 September 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zohocorp
manageengine access manager plus
4.3 · ≤ 4.3
zohocorp
manageengine pam360
5.5 · ≤ 5.5
zohocorp
manageengine password manager pro
12.1 · ≤ 12.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor-supplied patches (12101/5510/4303) that eliminate the deserialization flaw before exploitation can occur.

prevent

Mandates validation of all input (including XML-RPC payloads) to reject malicious serialized Java objects that trigger unauthenticated RCE.

preventdetect

Requires integrity checks on software and incoming data to detect or block unauthorized code introduced via the deserialization vector.

References