CVE-2026-5785

Vulnerability

Overview

An authenticated SQL injection vulnerability exists in the query report module of Zohocorp ManageEngine PAM360 (versions before 8531) and ManageEngine Password Manager Pro (versions from 8600 to 13230). The flaw allows an attacker with a Password Auditor role to execute arbitrary SQL queries through the report functionality, bypassing intended access controls [1].

Exploitation

To exploit this vulnerability, an attacker must first authenticate with a valid Password Auditor role, which is a lower-privileged account. The injection occurs in the query report module, where user-supplied input is not properly sanitized before being used in SQL statements. No additional network access beyond the application is required [1].

Impact

Successful exploitation enables the attacker to execute custom SQL queries, potentially leading to privilege escalation to a Privileged Administrator. This elevated access allows the attacker to perform sensitive actions, such as viewing or modifying stored passwords, configuration changes, and other administrative operations [1].

Mitigation

Zohocorp has released fixed versions: Password Manager Pro build 13231 (released 07-04-2026) and PAM360 build 8531 (released 02-04-2026). Users should upgrade immediately. No workarounds are mentioned in the advisory [1].