CVE-2022-29081

CRITICAL EXPLOITED NUCLEI

Zoho ManageEngine <4302, <12007, <5401 - Auth Bypass

Title source: llm

Description

Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.

Nuclei Templates (1)

Zoho ManageEngine - Access Control Bypass

CRITICALVERIFIEDby 0xanis

Shodan: http.title:"manageengine"

References (2)

[Exploit, Third Party Advisory] https://www.tenable.com/security/research/tra-2022-14

[Vendor Advisory] https://www.manageengine.com/privileged-session-management/advisory/cve-2022-29081.html

Scores

CVSS v3 9.8

EPSS 0.8803

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-01-06

CWE

CWE-22

Status published

Products (20)

zohocorp/manageengine_access_manager_plus 4.0 build4000

zohocorp/manageengine_access_manager_plus 4.1 build4100 (2 CPE variants)

zohocorp/manageengine_access_manager_plus 4.2 build4200 (4 CPE variants)

zohocorp/manageengine_access_manager_plus 4.3 build4300 (2 CPE variants)

zohocorp/manageengine_pam360 4.0 build4001 (2 CPE variants)

zohocorp/manageengine_pam360 4.1 build4100 (2 CPE variants)

zohocorp/manageengine_pam360 4.5 build4500 (2 CPE variants)

zohocorp/manageengine_pam360 5.0 build5000 (5 CPE variants)

zohocorp/manageengine_pam360 5.1 build5100

zohocorp/manageengine_pam360 5.2 build5200

... and 10 more

Published Apr 28, 2022

Tracked Since Feb 18, 2026