CVE-2022-35405

EUVD-2022-38295
Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Affected Products (NVD)
VendorProductVersion
zohocorpmanageengine_access_manager_plus
𝑥
< 4.3
zohocorpmanageengine_access_manager_plus
4.3:build4300
zohocorpmanageengine_access_manager_plus
4.3:build4301
zohocorpmanageengine_access_manager_plus
4.3:build4302
zohocorpmanageengine_pam360
𝑥
< 5.5
zohocorpmanageengine_pam360
5.5:build5500
zohocorpmanageengine_password_manager_pro
𝑥
< 12.1
zohocorpmanageengine_password_manager_pro
12.1:build12100
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/167918/Zoho-Password-Manager-Pro-XML-RPC-Java-Deserialization.html
https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html
http://packetstormsecurity.com/files/167918/Zoho-Password-Manager-Pro-XML-RPC-Java-Deserialization.html
https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-35405