A vulnerability in the Zoho ManageEngine was added to CISA's catalog of known exploited vulnerabilities. ("File:Zoho headquarters in chennai.jpg" by Samueljjohn is licensed under CC BY-SA 4.0.)

Researchers at Nucleus Security on Friday posted a blog that explained how the Zoho ManageEngine vulnerability discovered earlier this month was elevated and uploaded to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog.

Ryan Cribelar, the vulnerability research engineer at Nucleus Security who posted the blog, said CISA uploaded CVE-2022-35405 on Thursday when the agency determined that there was enough evidence that the vulnerability actually was exploited in the wild.

GitHub security researcher Alvaro Muñoz wrote in a blog post on Sept. 9 that CVE-2022-35405 could have executed arbitrary code on vulnerable installations of ManageEngine’s Password Manager Pro, access management tool PAM360, and Access Manager Plus. In the blog, Muñoz explained that the vulnerability was possible because of a a vulnerable version of Apache OFBiz (CVE-2020-9496), a Java-based open source enterprise resource planning system.

Muñoz reported CVE-2022-3545 to ManageEngine on June 21 and it was acknowledged the same day. ManageEngine resolved the issue in a new release three days later. MITRE then tagged CVE-2022-35405 on July 11. 

Bud Broomhead, chief executive officer at Viakoo, pointed out three challenges the Zoho ManageEngine vulnerability presents to security teams:  

First is the race against time. Now that this vulnerability is part of CISA’s KEV catalog and because of the manual nature of checking to see if a system has been compromised, this vulnerability will be exploitable for a longer time than a vulnerability that can be automatically detected and patched.  

Second, Broomhead said while the recommended action is to disconnect and isolate a compromised system, impact to the business needs to be assessed before taking a system offline. 

Finally, as common with many cloud applications, there’s a reliance on open source software. The open source vulnerability this exploit is based on was discovered in 2020, and potentially could still be actively used in exploits leveraging other applications. Broomhead said this falls under supply chain risk, and to minimize such threats organizations should work with vendors to ensure that they are compliant to SOC 2 and other security standards, and can provide software bill of materials (SBOM) specifically around their use of open source software. 

“Security teams need to leverage automated solutions (particularly discovery and remediation) because of the urgency behind stopping a threat actor's performing remote code execution within their environment,” Broomhead said. “Especially when the applications involved (password and access management) are tied to identity management and authentication; moving to zero-trust architectures will help minimize the impact of identity management breaches.”