Cyber Resilience

CVE-2022-40300

Critical

Published: 16 September 2022

Published
16 September 2022
Modified
06 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3825 97.3th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-40300 is a critical-severity SQL Injection (CWE-89) vulnerability in Zohocorp Manageengine Password Manager Pro. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Zoho ManageEngine Password Manager Pro through version 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 contain multiple SQL injection vulnerabilities tracked as CVE-2022-40300. The issues are classified under CWE-89 and carry a CVSS 3.1 score of 9.8 reflecting network attack vector, low complexity, and no required authentication or user interaction.

An unauthenticated attacker with network access can supply crafted input to trigger the SQL injection flaws, resulting in full compromise of confidentiality, integrity, and availability of the affected password management or privileged access systems. Successful exploitation could allow arbitrary database queries, data exfiltration, or modification of stored credentials and configuration.

Vendor advisories at https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-40300.html describe the affected builds and direct administrators to apply the listed updates that resolve the injections. The associated EPSS score rose from lower values after disclosure to a peak of 0.5295 on 2025-12-11 before receding to the current 0.3825, indicating increased exploitation interest well after the original publication date.

EU & UK References

Vulnerability details

Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 have multiple SQL injection vulnerabilities.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zohocorp
manageengine access manager plus
4.0, 4.1, 4.2, 4.3
zohocorp
manageengine pam360
4.0, 4.1, 4.5, 5.0, 5.1
zohocorp
manageengine password manager pro
10.0, 10.1, 10.2, 10.3, 10.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References