CVE-2022-35403
📋 TL;DR
This vulnerability allows unauthenticated attackers to read local files on Zoho ManageEngine servers via specially crafted ticket-creation emails. It affects ServiceDesk Plus, ServiceDesk Plus MSP, SupportCenter Plus, and Asset Explorer products. Attackers can access sensitive files without credentials in most affected products.
💻 Affected Systems
- Zoho ManageEngine ServiceDesk Plus
- Zoho ManageEngine ServiceDesk Plus MSP
- Zoho ManageEngine SupportCenter Plus
- Zoho ManageEngine Asset Explorer
📦 What is this software?
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through disclosure of configuration files, passwords, or other sensitive data leading to privilege escalation or lateral movement.
Likely Case
Unauthorized access to sensitive files containing credentials, configuration data, or business information.
If Mitigated
Limited impact with proper network segmentation, file system permissions, and monitoring in place.
🎯 Exploit Status
Exploitation involves sending specially crafted emails to trigger file disclosure. No public exploit code is confirmed, but the vulnerability is straightforward to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ServiceDesk Plus 13008+, ServiceDesk Plus MSP 10606+, SupportCenter Plus 11022+, Asset Explorer 6977+
Vendor Advisory: https://www.manageengine.com/products/service-desk/cve-2022-35403.html
Restart Required: Yes
Instructions:
1. Download the latest version from the ManageEngine website. 2. Backup your current installation. 3. Run the installer/upgrade package. 4. Restart the service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable email-based ticket creation
allTemporarily disable the email parsing functionality that processes ticket-creation emails.
Restrict email access
allConfigure email server to only accept emails from trusted sources for ticket creation.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ManageEngine servers from untrusted networks.
- Apply file system permissions to restrict access to sensitive files and directories.
🔍 How to Verify
Check if Vulnerable:
Check the product version in the web interface under Help > About or via the server console.Check Version:
Check the web interface or consult the product documentation for version checking commands specific to your installation.Verify Fix Applied:
Verify the version number matches or exceeds the patched versions listed in the fix section.📡 Detection & Monitoring
Log Indicators:
- Unusual email processing activity
- File access patterns from email parsing components
- Error logs related to file path traversal
Network Indicators:
- Unusual email traffic to the ManageEngine server
- Outbound data transfers following email receipt
SIEM Query:
source="manageengine*" AND (event="email_processing" OR event="file_access") AND (path=".." OR path="../")