Well, hello in 2023!
It's time to get down to business again!
The year has just begun, and a lot of events have already happened, to which our publications will be devoted in the coming days.
First of all, we recommend that Zoho customers fix a serious security vulnerability affecting several ManageEngine products.
CVE-2022-47523 is an SQL injection vulnerability found in Password Manager Pro secure storage, PAM360 Privileged Access management software and Access Manager Plus Privileged Session Management solution.
Successful operation provides authenticated attackers with access to the server database and allows them to execute user requests to access database table records.
The bug was fixed by adding correct validation and escaping special characters in the updated versions of Password Manager Pro version 12210, PAM360 version 5801 and Access Manager Plus version 4309.
Zoho recommends that customers back up their Password Manager Pro, PAM360 and Access Manager Plus installations before upgrading to avoid data loss.
Given the severity of this vulnerability, customers are strongly advised to immediately upgrade to the latest build of these solutions.
Zoho did not mention the use of this vulnerability in the wild, but as you know, previous ManageEngine bugs have already been actively and repeatedly used in attacks.