CVE-2022-35405

What is Zoho ManageEngine PAM360 / Password Manager Pro?

Zoho ManageEngine PAM360 and Password Manager Pro are enterprise privileged access management (PAM) tools used by IT and security teams to store, manage, rotate, and audit access to privileged credentials — including administrator passwords, service account credentials, SSH keys, API tokens, and database passwords. Access Manager Plus provides session management and zero-trust remote access for privileged users. Because these products are the centralized vault for an organization's most sensitive credentials, they are extremely high-value attack targets: compromising a PAM solution can provide immediate access to every system whose credentials it manages.

Overview

CVE-2022-35405 is a critical remote code execution vulnerability (CWE-502, CVSS 9.8) in Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus. An unauthenticated remote attacker can achieve RCE via a Java deserialization exploit targeting the XML-RPC interface exposed by these products. ManageEngine released patches in June 2022. By September 2022, CISA and the FBI issued a joint advisory warning that state-sponsored APT actors were actively exploiting ManageEngine vulnerabilities (including CVE-2022-35405) to compromise defense, technology, and critical infrastructure organizations.

Affected Versions

Technical Details

The vulnerability (CWE-502: Deserialization of Untrusted Data) exists in the XML-RPC interface exposed by ManageEngine PAM360 and Password Manager Pro. XML-RPC is a legacy remote procedure call protocol that uses XML for encoding and HTTP for transport. The ManageEngine implementation accepts XML-RPC requests and deserializes the payload without requiring authentication.

Java deserialization vulnerabilities allow an attacker to craft a malicious serialized Java object (using known gadget chains from libraries present in the application's classpath) that, when deserialized by the server, executes arbitrary OS commands. Tools like ysoserial automate the construction of such payloads.

An unauthenticated attacker can send a crafted HTTP POST request to the XML-RPC endpoint, triggering deserialization of the malicious payload and achieving code execution with the privileges of the ManageEngine service account — typically a high-privilege service account with access to the credential vault and underlying database.

Discovery

The vulnerability was internally identified by Zoho and patched in June 2022 before broad public disclosure. The technical mechanism (Java deserialization via XML-RPC) was inferred from the patch and related ManageEngine vulnerability research, as Zoho did not publicly describe the specific technical root cause.

Exploitation Context

Zoho ManageEngine products have been a persistent target for state-sponsored threat actors throughout 2021–2022. A joint CISA/FBI advisory in September 2022 warned that APT actors (assessed as nation-state affiliated) were exploiting ManageEngine vulnerabilities in the defense industrial base, critical infrastructure, and technology sectors. The advisory specifically called out:

• Exploitation for initial access to enterprise networks via internet-facing ManageEngine deployments
• Post-exploitation use of the ManageEngine service account to harvest credentials from the PAM vault
• Deployment of webshells and custom implants for persistent access
• Lateral movement using harvested privileged credentials

The appeal of targeting PAM solutions is clear: a single successful exploitation can yield the keys to every system in the organization. ManageEngine deployments are often internet-accessible for remote administration by IT staff, expanding the attack surface.

Remediation

1. Update ManageEngine products immediately: Upgrade to PAM360 build 5801+, Password Manager Pro build 12101+, or Access Manager Plus build 4303+.
2. Restrict internet access: ManageEngine PAM360 and Password Manager Pro management interfaces should not be internet-facing. Place behind a VPN or restrict to management network access only.
3. Disable or firewall XML-RPC endpoint: If XML-RPC functionality is not used by your deployment, disable it or firewall access to the specific endpoint.
4. Audit for compromise: If internet exposure existed before patching, conduct forensic investigation. Look for unexpected files in the ManageEngine web directory, new scheduled tasks, unauthorized accounts, and evidence of credential vault access.
5. Rotate all vault-managed credentials: Treat every credential stored in the PAM vault as potentially compromised if exploitation is suspected. Initiate a controlled credential rotation for all accounts managed by the system.
6. Review audit logs: Examine ManageEngine's access logs for unauthorized queries to the credential vault, bulk credential exports, or API access from unexpected IP addresses.