SQL Injection Flaw Found in Zoho ManageEngine PAM/PMP

/HIGH
SCW vulnerabilitycvehigh-severitysql-injectioncwe-89
SQL Injection Flaw Found in Zoho ManageEngine PAM/PMP

The National Vulnerability Database (NVD) has detailed a critical SQL injection vulnerability affecting Zoho’s ManageEngine PAM360 and Password Manager Pro. Specifically, ManageEngine PAM360 versions prior to 8531 and Password Manager Pro versions ranging from 8600 to 13230 are susceptible.

This flaw, identified as CWE-89, resides within the query report module. Successful exploitation allows an authenticated attacker to inject malicious SQL code, potentially leading to unauthorized data access or modification. The National Vulnerability Database rates this vulnerability with a CVSS score of 8.1, classifying it as HIGH severity.

The vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N indicates a network-exploitable vulnerability with low complexity, requiring only low privileges, and having a significant impact on confidentiality and integrity. Given the nature of privileged access management tools, a successful exploit here could have severe repercussions for an organization’s security posture.

What This Means For You

  • If your organization uses Zoho ManageEngine PAM360 or Password Manager Pro, immediately check your installed versions. If you are running any version prior to PAM360 8531 or Password Manager Pro 13230 (specifically versions 8600-13230), patch these systems urgently to mitigate the SQL injection risk. Audit your systems for any unusual activity within the query report module.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.003 SQL Execution

🛡️ Detection Rules

5 rules · 6 SIEM formats

5 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, QRadar AQL, and Wazuh.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-5785

Sigma YAML — free preview
✓ Sigma 🔒 Splunk SPL 🔒 Sentinel KQL 🔒 Elastic 🔒 QRadar AQL 🔒 Wazuh

Want this in your SIEM's native format? Get Splunk SPL, Sentinel KQL, Elastic, QRadar AQL, or Wazuh — ready to paste.

5 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.

Get All SIEM Formats →

Indicators of Compromise

IDTypeIndicator
CVE-2026-5785 SQLi Zohocorp ManageEngine PAM360 versions before 8531
CVE-2026-5785 SQLi Zohocorp ManageEngine Password Manager Pro versions from 8600 to 13230
CVE-2026-5785 SQLi Authenticated SQL injection in the query report module

By Shimi's Cyber World Editorial

Related Posts

Zoho ManageEngine Log360 Hit by Auth Bypass

CVE-2026-3324 — Zohocorp ManageEngine Log360 versions 13000 through 13013 are vulnerable to authentication bypass on certain actions due to improper filter configuration.

vulnerabilityCVEhigh-severityauthentication-bypasscwe-288
/HIGH /⚑ 2 IOCs

Fastify Middie Bypass: Double Slashes, Double Trouble

CVE-2026-33804 — @fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic...

vulnerabilityCVEhigh-severitycwe-436
/HIGH /⚑ 3 IOCs

CVE-2026-2840 — Cross-Site Scripting (XSS)

CVE-2026-2840 — The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode...

vulnerabilityCVEcross-site-scripting-xss-cwe-79
/MEDIUM /⚑ 2 IOCs