CVE-2022-43672
Published: 12 November 2022
Summary
CVE-2022-43672 is a critical-severity SQL Injection (CWE-89) vulnerability in Zohocorp Manageengine Access Manager Plus. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Zoho ManageEngine Password Manager Pro before version 12122, PAM360 before 5711, and Access Manager Plus before 4306 are affected by a SQL injection vulnerability tracked as CVE-2022-43672 and assigned CWE-89. The flaw resides in a different software component than the related CVE-2022-43671 and carries a CVSS 3.1 base score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated remote attacker can supply crafted input to trigger the injection, resulting in full read, write, and delete access to the underlying database and thereby full compromise of confidentiality, integrity, and availability of the password-management system.
Vendor advisories published at https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-43672.html direct customers to apply the listed fixed builds for each product.
The associated EPSS score currently stands at 0.4331 after reaching a peak of 0.5195, indicating sustained exploitation interest well after the 2022 disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-46666
Vulnerability details
Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.