Cyber Resilience

CVE-2022-43672

Critical

Published: 12 November 2022

Published
12 November 2022
Modified
01 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4331 97.6th percentile
Risk Priority 46 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-43672 is a critical-severity SQL Injection (CWE-89) vulnerability in Zohocorp Manageengine Access Manager Plus. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Zoho ManageEngine Password Manager Pro before version 12122, PAM360 before 5711, and Access Manager Plus before 4306 are affected by a SQL injection vulnerability tracked as CVE-2022-43672 and assigned CWE-89. The flaw resides in a different software component than the related CVE-2022-43671 and carries a CVSS 3.1 base score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated remote attacker can supply crafted input to trigger the injection, resulting in full read, write, and delete access to the underlying database and thereby full compromise of confidentiality, integrity, and availability of the password-management system.

Vendor advisories published at https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-43672.html direct customers to apply the listed fixed builds for each product.

The associated EPSS score currently stands at 0.4331 after reaching a peak of 0.5195, indicating sustained exploitation interest well after the 2022 disclosure.

EU & UK References

Vulnerability details

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zohocorp
manageengine access manager plus
4.3 · ≤ 4.3
zohocorp
manageengine pam360
5.7 · ≤ 5.7
zohocorp
manageengine password manager pro
12.1 · ≤ 12.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References