Zoho encourages administrators to immediately patch the critical ManageEngine bug

Zoho, a business software company, has asked customers to fix a security hole that affects multiple ManageEngine products.

Zoho Monday, “This security advisory was to inform you that a critical security flaw has been detected.”

CVE-20222-47523 is the bug that was tracked. It’s a SQL injection vulnerability in Password Manager Pro, PAM360, Access Manager Plus, and Access Manager Plus, which are all privileged access management solutions.

An attacker can exploit successful exploitation to gain access to the backend database. This allows them to run custom queries to query database tables.

Zoho stated that they had discovered a SQL injection vulnerability in their internal framework. This would allow all [..] users to unauthenticated access the backend databases.

The company stated that, “given this vulnerability’s severity, customers should upgrade immediately to PAM360, Access Manager Pro, and Password Manager Plus.”

Zoho claims it has fixed the problem by adding validation and escaping special characters.

You will need to download the most recent upgrade package for your product ( and ), in order to upgrade your system.

Next, follow the Upgrade Pack pages to install the most recent build.

Product name

The affected versions

Fixed Version

Fixed on

Password Manager Pro

12200 or below 12200




5800 or below



Access Management Plus

4304 and lower 4408



CISA in September of a critical ManageEngine vulnerability. This was used to remotely execute code on unpatched servers that were running PAM360 or Access Manager Plus and Password Manager Pro.

Federal Civilian Executive Branch Agencies of the United States (FCEB) were granted three weeks to fix vulnerable systems and protect their networks from exploit attempts.

In recent years, Zoho ManageEngine servers were under constant attack. Desktop Central instance instances have been hacked, and the access to breaches of organizations’ networks beginning in July 2020.

ManageEngine servers between August 2021 and October 2021 using tools and tactics similar to the Chinese-linked APT27 hacking organization.

CISA and FBI issued joint advisory [ , ] to warn of state-sponsored attackers using ManageEngine bugs in order to hack into critical infrastructure networks.