"CISA Warns of Critical ManageEngine RCE Bug Used in Attacks"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has added a critical severity Java deserialization vulnerability impacting multiple Zoho ManageEngine products to its Known Exploited Vulnerabilities (KEV) Catalog. The security flaw, tracked as CVE-2022-35405, can be used to gain Remote Code Execution (RCE) on servers running unpatched Zoho ManageEngine PAM360 and Password Manager Pro or Access Manager Plus software in low-complexity attacks. Since August, proof-of-concept (PoC) exploit code and a Metasploit module that target this bug to gain RCE as the SYSTEM user have been available online. Following its inclusion in CISA's KEV catalog, all Federal Civilian Executive Branch (FCEB) agencies must now patch their systems against this bug that has been exploited in the wild, according to a Binding Operational Directive (BOD 22-01) issued in November. Federal agencies have three weeks until October 13 to ensure their networks are secure against exploitation attempts. This article continues to discuss CISA's warning about a critical severity Java deserialization vulnerability affecting Zoho ManageEngine products.

Bleeping Computer reports "CISA Warns of Critical ManageEngine RCE Bug Used in Attacks"