The Cybersecurity and Infrastructure Security Agency (CISA) added a critical severity Java deserialization vulnerability (CVE-2022-35405) to its list of vulnerabilities being exploited in the wild that allow for a threat actor to gain remote code execution. The vulnerability affects servers running unpatched Zoho ManageEngine PAM360, Password Manager Pro, or Access Manager Plus, with the former two not requiring any authentication while the latter does. Security patches for this vulnerability were released by the company in July. Proof-of-concept exploit code and a Metasploit module targeting this vulnerability have been publicly available since August.
With the vulnerability being released and subsequently patched by Zoho in July, this vulnerability poses no threat to organizations with short vulnerability management cycles. However, as is often the case a few months after public disclosure and proof of concept (PoC) disclosure, this vulnerability is still being actively exploited in the wild. Prioritizing this patch is highly recommended for an enterprise organization, as a single identity vulnerability being exploited can have a cascading effect with high costs if initial access is sold to ransomware or data extortion operators.