Zoho, a business software provider, released a security advisory encouraging its customers to immediately patch a critical security flaw affecting three ManageEngine products, BleepingComputer reports.
The SQL injection vulnerability, CVE-2022-47523, was found in Zoho's PAM360 privileged access management software, Password Manager Pro secure vault, and Access Manager Plus privileged session management solution.
The bug would grant attackers unauthenticated access to the backend database and let them execute custom queries to gain access to database table entries, the firm warned.
"[G]iven the severity of this vulnerability, customers are strongly advised to upgrade to the latest build of PAM360, Password Manager Pro and Access Manager Plus immediately."
Zoho said the issue was fixed last month by adding proper validation and escaping special characters. For installation upgrade, customers must first download the latest upgrade pack for their product, and then deploy the latest build by following the instructions indicated on each of the product's Upgrade Pack page.