Cyber Resilience

CVE-2022-43671

Critical

Published: 12 November 2022

Published
12 November 2022
Modified
01 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5195 98.0th percentile
Risk Priority 51 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-43671 is a critical-severity SQL Injection (CWE-89) vulnerability in Zohocorp Manageengine Access Manager Plus. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Zoho ManageEngine Password Manager Pro versions prior to 12122, PAM360 versions prior to 5711, and Access Manager Plus versions prior to 4306 contain a SQL injection vulnerability tracked as CVE-2022-43671 and assigned CWE-89. The issue carries a CVSS 3.1 base score of 9.8 reflecting a network-accessible flaw that requires no authentication or user interaction.

An unauthenticated remote attacker can supply crafted input to trigger the injection, enabling arbitrary SQL execution that may result in complete loss of confidentiality, integrity, and availability of the affected password-management or privileged-access system.

The vendor advisory published at https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-43671.html addresses the flaw and directs customers to apply the fixed releases listed above.

The associated EPSS score stands at 0.5195 with no material increase from a lower baseline after disclosure.

EU & UK References

Vulnerability details

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zohocorp
manageengine access manager plus
4.3 · ≤ 4.3
zohocorp
manageengine pam360
5.7 · ≤ 5.7
zohocorp
manageengine password manager pro
12.1 · ≤ 12.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References