CVE-2022-43672

high-risk

Published 2022-11-12

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.

Do I need to act?

!

45.6% chance of exploitation in next 30 days

EPSS score — higher than 54% of all CVEs

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

9

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (16)

Manageengine Access Manager Plus

Manageengine Access Manager Plus

Manageengine Access Manager Plus

Manageengine Access Manager Plus

Manageengine Access Manager Plus

Manageengine Access Manager Plus

Manageengine Access Manager Plus

Manageengine Pam360

Manageengine Pam360

Manageengine Pam360

Manageengine Password Manager Pro

Manageengine Password Manager Pro

Manageengine Password Manager Pro

Manageengine Password Manager Pro

Manageengine Password Manager Pro

Manageengine Password Manager Pro

Affected Vendors

Zohocorp

References (2)

Vendor Advisory https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-43672...

Vendor Advisory https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-43672...

67

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 17/34 · Moderate

Exposure 18/34 · Moderate