CVE-2022-29081
📋 TL;DR
This vulnerability allows attackers to bypass access controls on specific REST API endpoints in Zoho ManageEngine products by using '../RestAPI' in URLs. Affected organizations using vulnerable versions of Access Manager Plus, Password Manager Pro, or PAM360 could have their privileged access management systems compromised.
💻 Affected Systems
- Zoho ManageEngine Access Manager Plus
- Zoho ManageEngine Password Manager Pro
- Zoho ManageEngine PAM360
📦 What is this software?
Manageengine Access Manager Plus by Zohocorp
Manageengine Access Manager Plus by Zohocorp
Manageengine Access Manager Plus by Zohocorp
Manageengine Access Manager Plus by Zohocorp
Manageengine Access Manager Plus by Zohocorp
Manageengine Access Manager Plus by Zohocorp
Manageengine Access Manager Plus by Zohocorp
Manageengine Access Manager Plus by Zohocorp
Manageengine Access Manager Plus by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
Manageengine Password Manager Pro by Zohocorp
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing unauthorized access to privileged credentials, session data, and administrative functions, potentially leading to lateral movement across the network.
Likely Case
Unauthorized access to sensitive API endpoints allowing attackers to view or modify privileged access data, license information, and system configurations.
If Mitigated
Limited impact with proper network segmentation and API gateway controls preventing external access to vulnerable endpoints.
🎯 Exploit Status
Exploitation requires only HTTP requests with the '../RestAPI' substring. Public proof-of-concept code exists demonstrating the bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Access Manager Plus 4302, Password Manager Pro 12007, PAM360 5401
Vendor Advisory: https://www.manageengine.com/privileged-session-management/advisory/cve-2022-29081.html
Restart Required: Yes
Instructions:
1. Download the latest version from the ManageEngine website. 2. Backup current configuration and data. 3. Stop the ManageEngine service. 4. Install the update following vendor instructions. 5. Restart the service and verify functionality.
🔧 Temporary Workarounds
Web Application Firewall Rules
allBlock requests containing '../RestAPI' substring in URLs
WAF rule: deny requests where URI contains '../RestAPI'
Network Segmentation
allRestrict access to ManageEngine instances to trusted networks only
Firewall rule: allow only specific IP ranges to access ManageEngine ports
🧯 If You Can't Patch
- Implement strict network access controls to limit which systems can reach the ManageEngine instances
- Deploy a web application firewall with rules to block '../RestAPI' patterns in URLs
🔍 How to Verify
Check if Vulnerable:
Check if accessing URLs like https://target/RestAPI/../SSOutAction returns data without proper authenticationCheck Version:
Check the product version in the web interface under Help > About or via the product consoleVerify Fix Applied:
After patching, verify that the same URLs now return proper authentication errors or are inaccessible📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../RestAPI' in URL path
- Unauthorized access to SSOutAction, SSLAction, LicenseMgr endpoints
Network Indicators:
- HTTP GET/POST requests to vulnerable endpoints without authentication headers
- Unusual traffic patterns to REST API endpoints
SIEM Query:
source="manageengine" AND (url="*../RestAPI*" OR endpoint IN ("SSOutAction", "SSLAction", "LicenseMgr", "GetProductDetails", "GetDashboard", "FetchEvents", "Synchronize"))