The US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about cyberattacks on Thursday that target a vulnerability in Zoho ManageEngine that has recently been patched. The enterprise IT software, which Zoho acquired in 2014, offers management functions for identity and access, endpoints, enterprise services, security information and events, and IT operations.
The exploited security hole, identified as CVE-2022-35405 (CVSS score of 9.8), is a remote code execution (RCE) bug affecting ManageEngine Password Manager Pro prior to 12101, ManageEngine PAM360 prior to 5510, and ManageEngine Access Manager Plus prior to 4303.
There is no need for authentication in ManageEngine Password Manager Pro or PAM360 for successful exploitation. However, an attacker who wants to target a ManageEngine Access Manager Plus instance that is vulnerable must be authenticated.