On Thursday, the US Cybersecurity and Infrastructure Security Agency (CISA) added a recently disclosed security flaw in Zoho ManageEngine to its known exploited vulnerabilities (KEV) Catalog, citing evidence of active exploitation.
“Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability that allows remote code execution,” the agency said in an advisory.
Although the exact nature of the flaw remains unknown, the India-based enterprise solutions company said it fixed the issue by removing vulnerable components that could lead to remote execution of arbitrary code.
Zoho also warned of the public availability of a proof-of-concept (PoC) exploit for the vulnerability, making it imperative that customers act quickly to upgrade instances of Password Manager Pro, PAM360, and Access Manager Plus. as soon as possible.
In light of active exploitation in the wild, Federal Civilian Executive Branch (FCEB) agencies are required to apply vendor-supplied patches by October 13, 2022.