The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a recently disclosed security flaw in Zoho ManageEngine, tracked as CVE-2022-35405 (CVSS score 9.8), to its Known Exploited Vulnerabilities Catalog.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
The CVE-2022-35405 flaw is a remote code execution vulnerability that impacts Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus.
“Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability which allows for remote code execution.” reads the advisory published by CISA.
Zoho addressed the issue by removing the vulnerable components and strongly recommends its customers to upgrade the instances of Password Manager Pro, PAM360 and Access Manager Plus immediately due to the availability of a PoC exploit.
CISA orders federal agencies to fix these vulnerabilities by October 13, 2022.
(SecurityAffairs – hacking, Zoho)