Các bài viết liên quan:
The US Cybersecurity and Infrastructure Agency (CISA) on Thursday added a gap recently revealed security in Zoho ManageEngine to the List of Known Exploited Vulnerabilities (KEVs), citing evidence of active exploitation.
“Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unknown vulnerability that allows remote code execution,” the agency said in a statement.
The critical vulnerability, tracked as CVE-2022-35405, is rated 9.8 out of 10 for severity on the CVSS scoring system and has been patched by Zoho as part of an update released on June 24, 2022.
While the exact nature of the vulnerability is still unknown, the India-based enterprise solutions company said it resolved the issue by removing vulnerable components that could lead to remote execution of arbitrary code.
Zoho has also warned about the public availability of a proof-of-concept (PoC) exploit for the vulnerability, forcing customers to quickly upgrade versions of Password Manager Pro, PAM360, and Access Manager Plus as soon as possible.
Due to active mining in the wild, Federal Civil Service Executive Branch (FCEB) agencies are required to apply vendor-supplied patches by October 13, 2022.
.
