CVE-2022-35405 Overview
CVE-2022-35405 is a critical insecure deserialization vulnerability affecting Zoho ManageEngine Password Manager Pro, PAM360, and Access Manager Plus. The vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems through malicious XML-RPC requests containing crafted Java serialized objects. This flaw stems from improper input validation in the XML-RPC endpoint, enabling attackers to exploit Java deserialization mechanisms to achieve full system compromise.
Critical Impact
This vulnerability enables unauthenticated remote code execution on enterprise credential management systems, potentially exposing all stored passwords, secrets, and privileged access credentials to attackers.
Affected Products
- Zoho ManageEngine Password Manager Pro before build 12101
- Zoho ManageEngine PAM360 before build 5510
- Zoho ManageEngine Access Manager Plus before build 4303 (requires authentication)
Discovery Timeline
- 2022-07-19 - CVE-2022-35405 published to NVD
- 2025-10-31 - Last updated in NVD database
Technical Details for CVE-2022-35405
Vulnerability Analysis
This vulnerability (CWE-502: Deserialization of Untrusted Data) exists in the XML-RPC interface of ManageEngine Password Manager Pro and related products. The affected application fails to properly validate and sanitize serialized Java objects received through XML-RPC requests before deserializing them. When an attacker sends a specially crafted XML-RPC request containing a malicious serialized Java object, the application processes and deserializes this untrusted data without adequate security checks.
The exploitation does not require any form of authentication for Password Manager Pro and PAM360, significantly increasing the risk exposure. For Access Manager Plus, while authentication is required, the vulnerability remains exploitable by authenticated users. Given that these products are designed to manage privileged credentials and secrets across enterprise environments, successful exploitation could lead to catastrophic security breaches including access to all stored passwords, certificates, and privileged account credentials.
Root Cause
The root cause of CVE-2022-35405 lies in the improper handling of Java object deserialization within the XML-RPC interface. The application accepts and processes serialized Java objects from remote requests without implementing proper allowlist-based validation or using secure deserialization frameworks. This allows attackers to inject malicious gadget chains that execute arbitrary code when deserialized by the vulnerable Java application. The XML-RPC service is exposed on the network by default, making it trivial for attackers to reach the vulnerable endpoint.
Attack Vector
The attack is conducted over the network against the XML-RPC endpoint exposed by the ManageEngine applications. An attacker crafts a malicious HTTP POST request containing a serialized Java object designed to trigger code execution upon deserialization. The attack leverages known Java deserialization gadget chains commonly found in enterprise Java applications. Since Password Manager Pro and PAM360 do not require authentication for this endpoint, any network-accessible attacker can exploit this vulnerability to gain complete control over the system with the privileges of the ManageEngine service account.
The vulnerability has been confirmed as actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities Catalog. Technical details including exploit code are publicly available through security research publications. For detailed exploitation mechanics, refer to the Packet Storm Security analysis.
Detection Methods for CVE-2022-35405
Indicators of Compromise
- Unusual POST requests to the XML-RPC endpoint (/xmlrpc or similar paths) containing serialized Java objects
- Unexpected child processes spawned by the ManageEngine Java process
- Anomalous network connections initiated from the ManageEngine server to external IP addresses
- Evidence of web shells or persistence mechanisms in ManageEngine installation directories
- Unusual authentication activity or credential access patterns following potential exploitation windows
Detection Strategies
- Monitor HTTP traffic for POST requests to XML-RPC endpoints containing Java serialization magic bytes (0xAC 0xED) or Base64-encoded equivalents (rO0AB)
- Implement network intrusion detection rules to identify known exploitation payloads targeting CVE-2022-35405
- Deploy endpoint detection and response (EDR) solutions to identify suspicious process execution chains originating from ManageEngine services
- Review web server access logs for anomalous XML-RPC request patterns, particularly requests with large payloads or unusual content types
Monitoring Recommendations
- Enable verbose logging on ManageEngine applications and forward logs to a centralized SIEM platform
- Configure alerts for any external network connections initiated by the ManageEngine service account
- Implement file integrity monitoring on ManageEngine installation directories to detect unauthorized modifications
- Monitor for new user account creation or privilege escalation events that may indicate post-exploitation activity
How to Mitigate CVE-2022-35405
Immediate Actions Required
- Immediately update Password Manager Pro to build 12101 or later
- Update PAM360 to build 5510 or later
- Update Access Manager Plus to build 4303 or later
- If patching cannot be performed immediately, restrict network access to ManageEngine services using firewall rules
- Conduct forensic analysis to determine if exploitation has already occurred
Patch Information
Zoho has released security updates that address this vulnerability. Organizations should apply the following minimum build versions:
- Password Manager Pro: Build 12101 or later
- PAM360: Build 5510 or later
- Access Manager Plus: Build 4303 or later
Detailed patching instructions and security updates are available in the ManageEngine Security Advisory. CISA has added this vulnerability to the Known Exploited Vulnerabilities Catalog, requiring federal agencies to prioritize remediation.
Workarounds
- Implement strict network segmentation to limit access to ManageEngine services to authorized administrative workstations only
- Deploy a web application firewall (WAF) configured to block requests containing Java serialization signatures
- Disable or restrict the XML-RPC interface if not required for operational purposes
- Implement egress filtering to prevent the ManageEngine server from initiating outbound connections to untrusted destinations
- Enable application-level authentication where possible and enforce multi-factor authentication for all administrative access
# Example: Restrict network access to ManageEngine services using iptables
# Allow access only from trusted administrative subnet
iptables -A INPUT -p tcp --dport 7272 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7272 -j DROP
# Block outbound connections from ManageEngine service (adjust uid as needed)
iptables -A OUTPUT -m owner --uid-owner manageengine -j LOG --log-prefix "ME_EGRESS: "
iptables -A OUTPUT -m owner --uid-owner manageengine -d 10.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner manageengine -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
