The US Cybersecurity and Infrastructure Security Agency (CISA) warns that a critical remote code execution (RCE) flaw in Zoho ManageEngine, first disclosed in June, is now under attack active.
According to Zoho patch noticethe bug “could allow remote attackers to execute arbitrary code on affected installations”.
Several Zoho ManageEngine Products are affected, CISA said, including Zoho ManageEngine PAM360, Password Manager Pro and Access Manager Plus.
Authentication is not required to exploit the vulnerability in Password Manager Pro and PAM360 products, Zoho added.
CISA has moved to add Zoho ManageEngine bug to catalog of known exploited vulnerabilitieswhich indicates that the bug (CVE-2022-35405) is both under active feat and poses a threat to federal government systems.
CISA advises federal agencies to apply the vendor patch immediately.