CVE-2022-43671
Published: 12 November 2022
Summary
CVE-2022-43671 is a critical-severity SQL Injection (CWE-89) vulnerability in Zohocorp Manageengine Access Manager Plus. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Zoho ManageEngine Password Manager Pro versions prior to 12122, PAM360 versions prior to 5711, and Access Manager Plus versions prior to 4306 contain a SQL injection vulnerability tracked as CVE-2022-43671 and assigned CWE-89. The issue carries a CVSS 3.1 base score of 9.8 reflecting a network-accessible flaw that requires no authentication or user interaction.
An unauthenticated remote attacker can supply crafted input to trigger the injection, enabling arbitrary SQL execution that may result in complete loss of confidentiality, integrity, and availability of the affected password-management or privileged-access system.
The vendor advisory published at https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-43671.html addresses the flaw and directs customers to apply the fixed releases listed above.
The associated EPSS score stands at 0.5195 with no material increase from a lower baseline after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-46665
Vulnerability details
Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.