"Zoho Urges Admins to Patch Critical ManageEngine Bug Immediately"

Business software provider Zoho is urging customers to patch a critical security flaw affecting multiple ManageEngine products.  The bug, tracked as CVE-2022-47523, is an SQL injection vulnerability found in the company's Password Manager Pro secure vault, PAM360 privileged access management software, and Access Manager Plus privileged session management solution.  The company noted that successful exploitation provides attackers with unauthenticated access to the backend database and allows them to execute custom queries to access database table entries.  The company stated that given the severity of this vulnerability, customers are strongly advised to upgrade to the latest build of PAM360, Password Manager Pro and Access Manager Plus immediately.  Zoho says it fixed the issue last month by escaping special characters and adding proper validation.  The company noted that to upgrade an installation, one should first download the latest upgrade pack for the product (PAM360, Password Manager Pro, Access Manager Plus).  The next step is to deploy the latest build according to the upgrade instructions available on each product's Upgrade Pack page.

BleepingComputer reports: "Zoho Urges Admins to Patch Critical ManageEngine Bug Immediately"