SOCRadar® Cyber Intelligence Inc. | CISA Urges to Patch ManageEngine Against RCE Vulnerability
Home

Resources

Blog
Eyl 23, 2022
3 Mins Read

CISA Urges to Patch ManageEngine Against RCE Vulnerability

CISA has added a new critical vulnerability to its Known Exploited Vulnerabilities Catalog. The flaw exists in several ManageEngine products from Zoho and can lead to remote code execution on unpatched instances.

The flaw, identified as CVE-2022-35405, is a Java deserialization flaw that has been exploited in the wild and has a 9.8 CVSS score.

Affected products and versions are listed below: 

  • PAM360 – 5500 and prior 
  • Access Manager Plus – 4302 and prior 
  • Password Manager Pro – 12100 and prior 

Proof-of-concept codes and a Metasploit module to specifically exploit CVE-2022-35405 are available.

Find Out If Your Installation is Affected 

You can follow these instructions to determine if your installation is impacted: 

  1. Navigate to /logs
  2. Open the access_log_.txt file 
  3. Search the text file for the phrase ” /xmlrpc POST ” Your environment is unaffected if this keyword is not discovered. Go on to the following step if it is present. 
  4. Look in the log files for the following line. Your installation is compromised if it is there:
[/xmlrpc-_###_https-jsse-nio2--exec-] ERROR org.apache.xmlrpc.server.XmlRpcErrorLogger - InvocationTargetException: java.lang.reflect.InvocationTargetException

These steps should be taken if your computer has been compromised: 

  • Isolate and disconnect the affected device. 
  • Send ManageEngine a zip file with all the application logs at the product support email addresses. 

All Organizations are Recommended to Fix This Flaw 

Although BOD 22-01 (Binding Operational Directive) only applies to FCEB agencies in the United States, CISA asked other businesses and government agencies worldwide to prioritize correcting this vulnerability.

Applying fixes as soon as possible and following these recommendations will reduce the attack surface that attackers could exploit while trying to break into their networks. 

Patches have been accessible since the end of June. CISA and the vendor strongly advise customers to update their products right away. 

Check the advisory for further information and to get in touch with product support.

To update, download the most recent upgrade pack for the relevant product: