WARNING: Critical SQL Injection Vulnerability in ZOHO Access Manager Plus, ZOHO PAM360 and ZOHO Password Manager Pro. Patch Immediately !
An attacker can execute custom queries and access database entries using a vulnerable endpoint in Access Manager Plus versions 4308 and below, PAM360 versions 5800 and below, and Password Manager Pro versions 12200 and below.
This allows an attacker to access unauthorized data, and may lead to full code execution.
ZOHO ManageEngine vulnerabilities have previously been targeted by nation-state threat actors. In 2021 a Chinese APT actor has actively exploited Internet-facing ZOHO management servers according to a security advisory from CISA and the FBI.
Exploitation of the recently disclosed flaw can be expected. Around 11,000 servers are running the affected solutions and will be vulnerable if not updated to the latest versions.
The impact on Confidentiality, Integrity and Availability is HIGH.
Access Manager Plus, PAM360, and Password Manager Pro are business access management solutions.
The CCB urges all users of ZOHO ManageEngine Password Manager Pro, ZOHO PAM360, and ZOHO Access Manager Plus solutions to update the software to the latest version as soon as possible to fix a critical SQL injection vulnerability.
A remote unauthenticated adversary can gain access to the backend database and execute custom queries.
The patches, which were released in late December, add proper validation and escape special characters to prevent exploitation of the flaw.
Users should upgrade to Password Manager Pro v12210, PAM360 v 5801, and Access Manager Plus v4309.
Zoho recommends patching affected software:
Upgrade to ZOHO Password Manager Pro version 12210 or above
Upgrade to ZOHO PAM360 version 5801 or above
Upgrade to ZOHO Access Manager Plus version 4309 or above