The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical Java deserialization flaw affecting multiple Zoho ManageEngine products to its Catalog of Known Exploited Vulnerabilities (KEV) and warned that the flaw was actively being exploited in attacks.
CISA has issued a directive to all agencies that fall under the Federal Civilian Executive Branch (FCEB), asking them to patch the vulnerability by October 13 to ensure their networks are protected from exploit attempts.
A legally binding operational guideline (BOD 22-01) issued by CISA in November requires FCEB authorities to protect their systems against vulnerabilities that are added to the KEV catalog to reduce the risk of known exploitable flaws in the networks of the reduce US government.
The Remote Code Execution (RCE) vulnerability, indexed as CVE-2022-35405, can be exploited in attacks with a minimal level of sophistication and without user interaction.
A successful attack would allow attackers to reach RCE on servers running unpatched Zoho ManageEngine PAM360, Password Manager Pro, or Access Manager Plus software.
According to ManageEngine, no authentication is required to exploit the vulnerability in the Password Manager Pro and PAM360 products.
Both a Metasploit module and proof-of-concept (PoC) exploit code have been available online since August.
ManageEngine released security updates in July to address this issue and warned users that the POC exploit for the vulnerability is publicly available.
“We strongly encourage our customers to upgrade their Password Manager Pro, PAM360 and Access Manager Plus instances immediately,” the company said.
The following versions now have the full fix for the vulnerability:
- Access Manager Plus – affected version(s) 4302 and below – corrected version 4303
- Password Manager Pro – affected version(s) 12100 and below – corrected version 12101
- PAM360 – affected version(s) 5500 and below – corrected version 5510
According to ManageEngine, the vulnerability is fixed by:
- Remove all vulnerable components from Access Manager Plus and PAM360
- Remove vulnerable parsers from Password Manager Pro
Although BOD 22-01 applies only to FCEB agencies, CISA strongly encourages all organizations to reduce their exposure to cyberattacks by prioritizing the timely remediation of vulnerabilities in the KEV catalog as part of their vulnerability management practice.
Since the release of the mandatory policy in November, CISA has added more than 800 vulnerabilities to its KEV catalog that are exploited in attacks, requiring a tighter remediation schedule by federal agencies to prevent security breaches.
Earlier this month, CISA added 12 vulnerabilities to its KEV catalog, including a Google Chrome zero day, based on evidence of active exploitation.
According to CISA, these bugs pose a serious threat to federal companies and are a common attack vector for malicious actors.
Last month, the agency warned of active exploitation of a vulnerability affecting Palo Alto Networks’ PAN-OS.