Unrated severityNVD Advisory· Published May 20, 2024· Updated Oct 7, 2024

Authorization vulnerability in PAM360

CVE-2024-27312

Description

Zohocorp ManageEngine PAM360 version 6601 is vulnerable to authorization vulnerability which allows a low-privileged user to perform admin actions. Note: This vulnerability affects only the PAM360 6600 version. No other versions are applicable to this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ManageEngine PAM360 6600 has an authorization flaw letting low-privileged users perform admin actions via crafted requests; fixed in version 6601.

Vulnerability

An authorization vulnerability exists in Zohocorp ManageEngine PAM360 version 6600. The internal security team discovered that the product fails to properly enforce access controls, allowing a low-privileged user to perform administrative actions. The issue affects only builds installed or upgraded to version 6600 on or before 10 April 2024 [1].

Exploitation

An attacker with a low-privileged account can exploit this vulnerability by sending specially crafted requests to the PAM360 server. No additional authentication or network position beyond existing user access is required; the flaw lies in the software's authorization logic [1].

Impact

Successful exploitation enables a non-admin user to execute privileged operations, effectively granting the attacker administrative control over the PAM360 instance. This can lead to full compromise of the privileged access management solution, including disclosure or manipulation of sensitive credentials and configurations [1].

Mitigation

Zohocorp released PAM360 version 6601 on 10 April 2024, which fixes the authorization vulnerability. Customers running version 6600 are strongly advised to upgrade to the latest build immediately. Upgrade packs are available from the product's update page [1]. No workarounds are documented.

References

Privileged access management (PAM) solution | ManageEngine PAM360

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Zohocorp/Manageengine It360llm-fuzzy
Range: = 6601
Manageengine/PAM360cpe-rescue
Range: 6601

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.manageengine.com/privileged-access-management/advisory/cve-2024-27312.htmlmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000