The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
on Thursday added[1]
a recently disclosed security flaw in Zoho ManageEngine to its
Known Exploited Vulnerabilities (KEV[2]) Catalog, citing
evidence of active exploitation.
“Zoho ManageEngine PAM360, Password Manager Pro, and Access
Manager Plus contain an unspecified vulnerability which allows for
remote code execution,” the agency said in a notice.
The critical vulnerability[3], tracked as CVE-2022-35405[4], is rated 9.8 out of 10
for severity on the CVSS scoring system, and was patched by Zoho as
part of updates released on June 24, 2022.
Although the exact nature of the flaw remains unknown, the
India-based enterprise solutions company said[5]
it addressed the issue by removing the vulnerable components that
could lead to the remote execution of arbitrary code.
Zoho has also warned of the public availability of a
proof-of-concept (PoC) exploit for the vulnerability, making it
imperative that customers move quickly to upgrade the instances of
Password Manager Pro, PAM360 and Access Manager Plus as soon as
possible.
In light of active exploitation in the wild, Federal Civilian
Executive Branch (FCEB) agencies are required to apply the
vendor-provided patches by October 13, 2022.
References
- ^
added
(www.cisa.gov) - ^
KEV
(www.cisa.gov) - ^
critical
vulnerability (www.manageengine.com) - ^
CVE-2022-35405
(nvd.nist.gov) - ^
said
(www.manageengine.com)
Read more https://thehackernews.com/2022/09/cisa-warns-of-hackers-exploiting-recent.html