CVE-2022-40300
Published: 16 September 2022
Summary
CVE-2022-40300 is a critical-severity SQL Injection (CWE-89) vulnerability in Zohocorp Manageengine Password Manager Pro. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Zoho ManageEngine Password Manager Pro through version 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 contain multiple SQL injection vulnerabilities tracked as CVE-2022-40300. The issues are classified under CWE-89 and carry a CVSS 3.1 score of 9.8 reflecting network attack vector, low complexity, and no required authentication or user interaction.
An unauthenticated attacker with network access can supply crafted input to trigger the SQL injection flaws, resulting in full compromise of confidentiality, integrity, and availability of the affected password management or privileged access systems. Successful exploitation could allow arbitrary database queries, data exfiltration, or modification of stored credentials and configuration.
Vendor advisories at https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-40300.html describe the affected builds and direct administrators to apply the listed updates that resolve the injections. The associated EPSS score rose from lower values after disclosure to a peak of 0.5295 on 2025-12-11 before receding to the current 0.3825, indicating increased exploitation interest well after the original publication date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-43597
Vulnerability details
Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 have multiple SQL injection vulnerabilities.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.