https://feed.craftedsignal.io/tags/manageengine/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 17 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-manageengine-sqli/Fri, 17 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-manageengine-sqli/An authenticated SQL injection vulnerability (CVE-2026-5785) in the query report module of Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 allows attackers with low privileges to potentially read or modify sensitive database information.Zohocorp ManageEngine PAM360 and Password Manager Pro are affected by an authenticated SQL injection vulnerability within the query report module. This vulnerability, identified as CVE-2026-5785, impacts PAM360 versions prior to 8531 and Password Manager Pro versions ranging from 8600 to 13230. An attacker with valid, albeit low-privileged, credentials can exploit this flaw by injecting malicious SQL queries through the affected module. Successful exploitation could lead to unauthorized data access, modification, or even complete database compromise. Defenders must apply the necessary patches to remediate this vulnerability.

Attack Chain

1. Attacker gains valid, low-privileged credentials to ManageEngine PAM360 or Password Manager Pro application.
2. Attacker authenticates to the ManageEngine application with the obtained credentials.
3. Attacker navigates to the “query report” module within the application’s interface.
4. Attacker crafts a malicious SQL query containing SQL injection payloads within report generation parameters.
5. The application processes the crafted SQL query without proper sanitization, executing the injected SQL commands.
6. The database executes the malicious SQL query, leading to unintended data retrieval (exfiltration) or modification.
7. Attacker extracts sensitive information like usernames, passwords, or configuration details from the database.
8. Attacker may further exploit the SQL injection to modify database records, escalate privileges, or compromise other application functionalities.

Impact

Successful exploitation of CVE-2026-5785 can result in significant data breaches and compromise of sensitive assets managed by ManageEngine PAM360 and Password Manager Pro. An attacker could potentially gain unauthorized access to credentials, configuration settings, and other critical information stored within the database. The impact can range from data theft and service disruption to complete system compromise, potentially affecting hundreds of organizations relying on these products for privileged access management.

Recommendation

• Immediately upgrade ManageEngine PAM360 to version 8531 or later to patch CVE-2026-5785.
• Immediately upgrade ManageEngine Password Manager Pro to a version later than 13230, or a version earlier than 8600.
• Monitor web server logs for suspicious SQL syntax or unusual database query patterns related to the query report module using the provided Sigma rule.
• Implement input validation and sanitization measures within the ManageEngine application to prevent SQL injection attacks.
• Enable database auditing to detect and investigate any unauthorized database access or modification attempts stemming from CVE-2026-5785.

]]>highadvisorycve-2026-5785sqlimanageenginepam360passwordmanagerprohttps://feed.craftedsignal.io/briefs/2026-04-manageengine-xss/Fri, 03 Apr 2026 11:17:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-manageengine-xss/Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in the Distribution Lists report, allowing attackers to inject malicious scripts.Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802 are susceptible to a Stored Cross-Site Scripting (XSS) vulnerability within the Distribution Lists report. This flaw allows an attacker with low privileges to inject malicious JavaScript code into the report. When other users view the compromised report, the injected script executes, potentially leading to session hijacking, sensitive data theft, or unauthorized administrative actions. The vulnerability stems from insufficient input sanitization when generating the Distribution Lists report, a feature within the Exchange Reporter Plus application designed to provide insights into Exchange environments.

Attack Chain

1. Attacker authenticates to ManageEngine Exchange Reporter Plus with low-privilege credentials.
2. Attacker navigates to the Distribution Lists report generation page.
3. Attacker crafts a malicious payload containing JavaScript code designed to execute upon rendering. This payload is injected via a field that contributes to the report.
4. The application stores the malicious payload without proper sanitization within the Distribution Lists report data.
5. A privileged user views the Distribution Lists report through the web interface.
6. The stored malicious JavaScript payload is rendered within the user’s browser.
7. The script executes within the context of the user’s session, potentially stealing cookies or other sensitive information.
8. The attacker leverages the stolen credentials or session to perform unauthorized actions within the ManageEngine Exchange Reporter Plus application, such as accessing sensitive reports or modifying configurations.

Impact

Successful exploitation of this Stored XSS vulnerability allows an attacker to compromise user accounts and potentially gain administrative access to the ManageEngine Exchange Reporter Plus application. This can lead to unauthorized access to sensitive Exchange environment data, including email addresses, distribution list memberships, and other configuration details. Given the broad adoption of ManageEngine products, this vulnerability could impact numerous organizations relying on Exchange Reporter Plus for monitoring and reporting. The impact is magnified because the injected script is stored, affecting multiple users who view the compromised report.

Recommendation

• Upgrade ManageEngine Exchange Reporter Plus to version 5802 or later to patch CVE-2026-28754.
• Deploy the Sigma rule Detect Suspicious URI Access to Distribution List Reports to identify potential exploitation attempts.
• Implement input validation and sanitization on the Distribution Lists report generation page to prevent the injection of malicious scripts.

]]>mediumadvisoryxssvulnerabilitymanageengine