A security researcher has discovered serious vulnerabilities in ManageEngine's Password Manager Pro, PAM360 and Access Manager Plus, which could be exploited to run malicious code remotely without authentication.
Alvaro Muñoz, who works as a security researcher at open source code repository Github, found that the ManageEngine components were vulnerable to a 2020 bug, which allows for unsafe deserialisation of XMLRPC arguments in the Apache OfBiz enterprise resource planning system.
The Open Web Application Security Project (OWASP) explains deserialisation as "taking data structured from some format, and rebuilding it into an object".
Deserialisation has been the cause of several serious vulnerabilities recently, such as the Log4J logging bug.
Muñoz has published proof-of-concept code for the vulnerability, using the ysoserial tool to generate payloads that exploit unsafe Java object deseralisation.
ManageEngine is enterprise management software that's widely used in almost 200 countries, with nearly 280,000 installations.
The bug does not appear to have been exploited in the wild, and ManageEngine patched the vulnerability in June this year.
