CVE-2023-35785 — HIGH (8.1)

Q: How severe is CVE-2023-35785?

CVE-2023-35785 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-35785?

Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Ad360, Zohocorp Manageengine Adaudit Plus, Zohocorp Manageengine Admanager Plus, Zohocorp Manageengine Assetexplorer, Zohocorp Manageengine Cloud Security Plus.

Vulnerability Description

Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus 4161 and below, Data Security Plus 6110 and below, Eventlog Analyzer 12301 and below, Exchange Reporter Plus 5709 and below, Log360 5315 and below, Log360 UEBA 4045 and below, M365 Manager Plus 4529 and below, M365 Security Plus 4529 and below, Recovery Manager Plus 6061 and below, ServiceDesk Plus 14204 and below and 143xx 14302 and below, ServiceDesk Plus MSP 14300 and below, SharePoint Manager Plus 4402 and below, and Support Center Plus 14300 and below are vulnerable to 2FA bypass via a few TOTP authenticators. Note: A valid pair of username and password is required to leverage this vulnerability.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Zohocorp	Manageengine Ad360	< 4.3
Zohocorp	Manageengine Adaudit Plus	< 7.2
Zohocorp	Manageengine Admanager Plus	< 7.2
Zohocorp	Manageengine Assetexplorer	< 6.9
Zohocorp	Manageengine Cloud Security Plus	< 4.1
Zohocorp	Manageengine Datasecurity Plus	< 6.1
Zohocorp	Manageengine Eventlog Analyzer	< 12.3.0
Zohocorp	Manageengine Exchange Reporter Plus	< 5.7
Zohocorp	Manageengine Log360	< 5.3
Zohocorp	Manageengine Log360 Ueba	4.0
Zohocorp	Manageengine M365 Manager Plus	< 4.5
Zohocorp	Manageengine M365 Security Plus	< 4.5
Zohocorp	Manageengine Recoverymanager Plus	< 6.0
Zohocorp	Manageengine Servicedesk Plus	< 14.2
Zohocorp	Manageengine Servicedesk Plus Msp	< 14.3
Zohocorp	Manageengine Sharepoint Manager Plus	< 4.4
Zohocorp	Manageengine Supportcenter Plus	< 14.3

Related Weaknesses (CWE)

CWE-287

References

https://manageengine.comProduct
https://www.manageengine.com/security/advisory/CVE/CVE-2023-35785.htmlPatchVendor Advisory
https://manageengine.comProduct
https://www.manageengine.com/security/advisory/CVE/CVE-2023-35785.htmlPatchVendor Advisory

FAQ

What is CVE-2023-35785?

CVE-2023-35785 is a vulnerability with a CVSS score of 8.1 (HIGH). Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus 4...

How severe is CVE-2023-35785?

CVE-2023-35785 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-35785?

Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Ad360, Zohocorp Manageengine Adaudit Plus, Zohocorp Manageengine Admanager Plus, Zohocorp Manageengine Assetexplorer, Zohocorp Manageengine Cloud Security Plus.