{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/manageengine/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-5785"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-5785","sqli","manageengine","pam360","passwordmanagerpro"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eZohocorp ManageEngine PAM360 and Password Manager Pro are affected by an authenticated SQL injection vulnerability within the query report module. This vulnerability, identified as CVE-2026-5785, impacts PAM360 versions prior to 8531 and Password Manager Pro versions ranging from 8600 to 13230. An attacker with valid, albeit low-privileged, credentials can exploit this flaw by injecting malicious SQL queries through the affected module. Successful exploitation could lead to unauthorized data access, modification, or even complete database compromise. Defenders must apply the necessary patches to remediate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains valid, low-privileged credentials to ManageEngine PAM360 or Password Manager Pro application.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the ManageEngine application with the obtained credentials.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the \u0026ldquo;query report\u0026rdquo; module within the application\u0026rsquo;s interface.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious SQL query containing SQL injection payloads within report generation parameters.\u003c/li\u003e\n\u003cli\u003eThe application processes the crafted SQL query without proper sanitization, executing the injected SQL commands.\u003c/li\u003e\n\u003cli\u003eThe database executes the malicious SQL query, leading to unintended data retrieval (exfiltration) or modification.\u003c/li\u003e\n\u003cli\u003eAttacker extracts sensitive information like usernames, passwords, or configuration details from the database.\u003c/li\u003e\n\u003cli\u003eAttacker may further exploit the SQL injection to modify database records, escalate privileges, or compromise other application functionalities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5785 can result in significant data breaches and compromise of sensitive assets managed by ManageEngine PAM360 and Password Manager Pro. An attacker could potentially gain unauthorized access to credentials, configuration settings, and other critical information stored within the database. The impact can range from data theft and service disruption to complete system compromise, potentially affecting hundreds of organizations relying on these products for privileged access management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade ManageEngine PAM360 to version 8531 or later to patch CVE-2026-5785.\u003c/li\u003e\n\u003cli\u003eImmediately upgrade ManageEngine Password Manager Pro to a version later than 13230, or a version earlier than 8600.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious SQL syntax or unusual database query patterns related to the query report module using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures within the ManageEngine application to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eEnable database auditing to detect and investigate any unauthorized database access or modification attempts stemming from CVE-2026-5785.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T12:00:00Z","date_published":"2026-04-17T12:00:00Z","id":"/briefs/2026-04-manageengine-sqli/","summary":"An authenticated SQL injection vulnerability (CVE-2026-5785) in the query report module of Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 allows attackers with low privileges to potentially read or modify sensitive database information.","title":"ManageEngine PAM360 and Password Manager Pro Authenticated SQL Injection Vulnerability (CVE-2026-5785)","url":"https://feed.craftedsignal.io/briefs/2026-04-manageengine-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-28754"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["xss","vulnerability","manageengine"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eZohocorp ManageEngine Exchange Reporter Plus versions prior to 5802 are susceptible to a Stored Cross-Site Scripting (XSS) vulnerability within the Distribution Lists report. This flaw allows an attacker with low privileges to inject malicious JavaScript code into the report. When other users view the compromised report, the injected script executes, potentially leading to session hijacking, sensitive data theft, or unauthorized administrative actions. The vulnerability stems from insufficient input sanitization when generating the Distribution Lists report, a feature within the Exchange Reporter Plus application designed to provide insights into Exchange environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to ManageEngine Exchange Reporter Plus with low-privilege credentials.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the Distribution Lists report generation page.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious payload containing JavaScript code designed to execute upon rendering. This payload is injected via a field that contributes to the report.\u003c/li\u003e\n\u003cli\u003eThe application stores the malicious payload without proper sanitization within the Distribution Lists report data.\u003c/li\u003e\n\u003cli\u003eA privileged user views the Distribution Lists report through the web interface.\u003c/li\u003e\n\u003cli\u003eThe stored malicious JavaScript payload is rendered within the user\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe script executes within the context of the user\u0026rsquo;s session, potentially stealing cookies or other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the stolen credentials or session to perform unauthorized actions within the ManageEngine Exchange Reporter Plus application, such as accessing sensitive reports or modifying configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this Stored XSS vulnerability allows an attacker to compromise user accounts and potentially gain administrative access to the ManageEngine Exchange Reporter Plus application. This can lead to unauthorized access to sensitive Exchange environment data, including email addresses, distribution list memberships, and other configuration details. Given the broad adoption of ManageEngine products, this vulnerability could impact numerous organizations relying on Exchange Reporter Plus for monitoring and reporting. The impact is magnified because the injected script is stored, affecting multiple users who view the compromised report.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ManageEngine Exchange Reporter Plus to version 5802 or later to patch CVE-2026-28754.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious URI Access to Distribution List Reports\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the Distribution Lists report generation page to prevent the injection of malicious scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T11:17:05Z","date_published":"2026-04-03T11:17:05Z","id":"/briefs/2026-04-manageengine-xss/","summary":"Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in the Distribution Lists report, allowing attackers to inject malicious scripts.","title":"ManageEngine Exchange Reporter Plus Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-manageengine-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Manageengine","version":"https://jsonfeed.org/version/1.1"}