CVE-2022-29081

Name: CVE-2022-29081
Creator: NVD / NIST
Published: 2022-04-28T20:15:08.017+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 83.32%

Last modified Jun 17, 2026

CVE-2022-29081 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. EPSS estimates a 83.32% chance of exploitation in the next 30 days.

Description

Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

83.32%

99.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-22

Affected Software

Vendor	Product	Versions	Update
Zohocorp	Manageengine Access Manager Plus	4.0	Build4000
Zohocorp	Manageengine Access Manager Plus	4.1	Build4100
Zohocorp	Manageengine Access Manager Plus	4.2	Build4200
Zohocorp	Manageengine Access Manager Plus	4.3	Build4300
Zohocorp	Manageengine Pam360	4.0	Build4001
Zohocorp	Manageengine Pam360	4.1	Build4100
Zohocorp	Manageengine Pam360	4.5	Build4500
Zohocorp	Manageengine Pam360	5.0	Build5000
Zohocorp	Manageengine Pam360	5.1	Build5100
Zohocorp	Manageengine Pam360	5.2	Build5200
Zohocorp	Manageengine Pam360	5.3	Build5300
Zohocorp	Manageengine Pam360	5.4	Build5400
Zohocorp	Manageengine Password Manager Pro	10.1	Build10103
Zohocorp	Manageengine Password Manager Pro	10.2	Build10200
Zohocorp	Manageengine Password Manager Pro	10.3	Build10300
Zohocorp	Manageengine Password Manager Pro	10.4	Build10400
Zohocorp	Manageengine Password Manager Pro	11.1	11104
Zohocorp	Manageengine Password Manager Pro	11.2	Build11200
Zohocorp	Manageengine Password Manager Pro	11.3	Build11300
Zohocorp	Manageengine Password Manager Pro	12.0	Build12000

References

https://www.manageengine.com/privileged-session-management/advisory/cve-2022-29081.htmlVendor Advisory
https://www.tenable.com/security/research/tra-2022-14Exploit, Third Party Advisory
https://www.manageengine.com/privileged-session-management/advisory/cve-2022-29081.htmlVendor Advisory
https://www.tenable.com/security/research/tra-2022-14Exploit, Third Party Advisory

Timeline

Published: Apr 28, 2022
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2022-29081?

How severe is CVE-2022-29081?

CVE-2022-29081 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 83.32% probability of exploitation in the next 30 days.

How do I fix CVE-2022-29081?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-29081?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST