CVE-2022-35405
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary code on Zoho ManageEngine Password Manager Pro and PAM360 systems through Java deserialization in XML-RPC endpoints. It also affects Access Manager Plus with authentication. Attackers can gain full control of affected systems.
💻 Affected Systems
- Zoho ManageEngine Password Manager Pro
- Zoho ManageEngine PAM360
- Zoho ManageEngine Access Manager Plus
📦 What is this software?
Manageengine Access Manager Plus by Zohocorp
Manageengine Access Manager Plus by Zohocorp
Manageengine Access Manager Plus by Zohocorp
Manageengine Access Manager Plus by Zohocorp
Manageengine Password Manager Pro by Zohocorp
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to credential theft, lateral movement, and persistent backdoor installation across the network.
Likely Case
Remote code execution resulting in data exfiltration, ransomware deployment, or credential harvesting from the password manager database.
If Mitigated
Limited impact if systems are isolated, patched, or have network controls preventing external access.
🎯 Exploit Status
Exploit code is publicly available and actively used in attacks. CISA has added this to its Known Exploited Vulnerabilities catalog.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Password Manager Pro 12101+, PAM360 5510+, Access Manager Plus 4303+
Vendor Advisory: https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html
Restart Required: Yes
Instructions:
1. Download the latest version from the ManageEngine website. 2. Backup your current installation. 3. Apply the patch/upgrade. 4. Restart the service. 5. Verify the fix.
🔧 Temporary Workarounds
Network Segmentation
allBlock external access to ManageEngine services at the firewall.
Disable XML-RPC Endpoints
allRemove or restrict access to vulnerable XML-RPC endpoints if possible.
🧯 If You Can't Patch
- Immediately isolate affected systems from the internet and critical internal networks.
- Implement strict network access controls and monitor for exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check the product version in the web interface or installation directory. For Password Manager Pro, navigate to Help > About. Compare against affected versions.Check Version:
On Linux: cat /opt/ManageEngine/PasswordManagerPro/conf/version.txt. On Windows: Check installation directory for version file.Verify Fix Applied:
Verify the version is updated to Password Manager Pro 12101+, PAM360 5510+, or Access Manager Plus 4303+. Test XML-RPC endpoints are no longer vulnerable.📡 Detection & Monitoring
Log Indicators:
- Unusual XML-RPC requests
- Java deserialization errors in logs
- Unexpected process execution
Network Indicators:
- XML-RPC requests to ManageEngine endpoints from unexpected sources
- Outbound connections from ManageEngine servers to unknown IPs
SIEM Query:
source="*manageengine*" AND ("XML-RPC" OR "deserialization" OR "java.lang.Runtime")🔗 References
- http://packetstormsecurity.com/files/167918/Zoho-Password-Manager-Pro-XML-RPC-Java-Deserialization.html
- https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html
- http://packetstormsecurity.com/files/167918/Zoho-Password-Manager-Pro-XML-RPC-Java-Deserialization.html
- https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-35405
