CVE-2023-2291

HIGH

Zohocorp Manageengine Access Manager Plus - Hard-coded Credentials

Title source: rule

Description

Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user.

References (1)

[Exploit, Third Party Advisory] https://tenable.com/security/research/tra-2023-16

Scores

CVSS v3 7.8

EPSS 0.0002

EPSS Percentile 5.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-798

Status published

Affected Products (3)

zohocorp/manageengine_access_manager_plus

zohocorp/manageengine_pam360

zohocorp/manageengine_password_manager_pro

Timeline

Published Apr 26, 2023

Tracked Since Feb 18, 2026