CVE-2022-35405

CRITICAL KEV NUCLEI

ManageEngine Password Manager Pro <12101 & PAM360 <5510 - RCE via Java Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-35405 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 22, 2022. EIP tracks 2 public exploits from researchers including viniciuspereiras, Vinicius, Y4er, Grant Willcox, including a Metasploit module exploits/windows/http/zoho_password_manager_pro_xml_rpc_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2022-35405, an unauthenticated remote code execution vulnerability in ManageEngine PAM360 and Password Manager Pro. The exploit leverages deserialization via YSoserial to execute arbitrary commands on the target system.

Description

Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)

Exploits (2)

nomisec WORKING POC 29 stars
by viniciuspereiras · remote
https://github.com/viniciuspereiras/CVE-2022-35405

This repository contains a functional exploit for CVE-2022-35405, an unauthenticated remote code execution vulnerability in ManageEngine PAM360 and Password Manager Pro. The exploit leverages deserialization via YSoserial to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine PAM360 (5.5 and below), Password Manager Pro (12.1 and below), Access Manager Plus (4.3 and below)
No auth needed
Prerequisites: YSoserial jar file · Network access to the target server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Vinicius, Y4er, Grant Willcox · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/zoho_password_manager_pro_xml_rpc_rce.rb

This Metasploit module exploits a Java deserialization vulnerability in Zoho ManageEngine Password Manager Pro and PAM360 via a crafted XML-RPC request to achieve remote code execution as SYSTEM. It supports multiple payload types including command execution, droppers, and PowerShell-based attacks.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Zoho ManageEngine Password Manager Pro (before 12101), PAM360 (before 5510)
No auth needed
Prerequisites: Network access to the target's XML-RPC endpoint (typically port 7272) · Vulnerable version of Zoho Password Manager Pro or PAM360
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Zoho ManageEngine - Remote Code Execution
CRITICALby viniciuspereiras,true13
Shodan: http.title:"ManageEngine" || http.title:"manageengine"
FOFA: title="manageengine"

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.9420
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-09-22
VulnCheck KEV 2022-09-22
InTheWild.io 2022-09-22
ENISA EUVD EUVD-2022-38295
CWE
CWE-502
Status published
Products (6)
zohocorp/manageengine_access_manager_plus 4.3 build4300 (3 CPE variants)
zohocorp/manageengine_access_manager_plus < 4.3
zohocorp/manageengine_pam360 5.5 build5500
zohocorp/manageengine_pam360 < 5.5
zohocorp/manageengine_password_manager_pro 12.1 build12100
zohocorp/manageengine_password_manager_pro < 12.1
Published Jul 19, 2022
KEV Added Sep 22, 2022
Tracked Since Feb 18, 2026