Introduction
An authenticated SQL injection in ManageEngine's privileged access management products allows a user with a low privilege auditor role to decrypt stored credentials and escalate to full administrative control. For organizations relying on Password Manager Pro or PAM360 as their enterprise credential vault, this vulnerability effectively turns a read oriented auditor account into a skeleton key for the entire password repository.
ManageEngine, a division of Zoho Corporation, provides enterprise IT management solutions used by organizations worldwide. Password Manager Pro and PAM360 are privileged access management (PAM) products designed to secure, store, and manage sensitive credentials and secrets across an enterprise. These products occupy a critical position in security infrastructure, making any vulnerability in them particularly consequential.
Technical Information
CVE-2026-5785 is classified under CWE-89: Improper Neutralization of Special Elements used in an SQL Command. The vulnerability carries a CVSS score of 8.1, placing it firmly in the "high severity" category.
Root Cause
The flaw resides in the Query Reports module of both Password Manager Pro and PAM360. This module is designed to let users extract specific data from the application's repository by writing custom SQL queries. A critical design characteristic of this module is its native support for decrypting sensitive data: users can invoke a decrypt function on encrypted columns, which are identified by the SCHAR data type in the database schema.
The root cause is insufficient input sanitization within the query report module. When a user holding the Password Auditor role submits a custom query, the application fails to properly validate and sanitize the SQL input before executing it against the backend database. This allows an attacker to break out of the intended query boundary and execute arbitrary SQL statements.
Attack Flow
Based on the advisory details, exploitation follows this sequence:
-
Initial Access: The attacker authenticates to the ManageEngine application with a valid account that holds the Password Auditor role. This is a legitimate, low privilege role intended for compliance and reporting purposes.
-
SQL Injection via Query Reports: The attacker navigates to the Query Reports module and crafts a malicious SQL query. Because the module accepts user constructed SQL and the application does not properly sanitize the input, the attacker can inject arbitrary SQL commands.
-
Data Exfiltration and Decryption: The attacker leverages the module's built in
decryptfunction to read and decrypt sensitive columns (those with theSCHARdata type) from the backend database. This gives the attacker access to stored credentials in plaintext. -
Privilege Escalation: With access to the underlying database and the ability to execute arbitrary SQL, the attacker modifies their own role or creates a new account with Privileged Administrator permissions. At this point, the attacker has full administrative control over the PAM solution.
The combination of SQL injection with the application's own decryption capabilities makes this vulnerability particularly impactful. The attacker does not need to break any encryption externally; the application itself provides the decryption mechanism through the query report feature.
Patch Information
Zohocorp has released patched versions for both affected products that resolve the authenticated SQL injection vulnerability in the query report module. The fix was delivered as product upgrade packs. Since both Password Manager Pro and PAM360 are closed source enterprise applications, there are no public code diffs available.
| Product | Affected Versions | Fixed Version | Patch Date |
|---|---|---|---|
| PAM360 | All versions up to and including 8530 | 8531 | April 2, 2026 |
| Password Manager Pro | Versions 8600 through 13230 | 13231 | April 7, 2026 |
PAM360 received its fix first, with build 8531 shipping on April 2, 2026, just five days after the vulnerability was reported to the vendor on March 28, 2026. Password Manager Pro followed with build 13231 on April 7, 2026. Both release notes describe the fix identically: an SQL injection vulnerability was identified and fixed.
Notably, the Password Manager Pro 13231 hotfix also bundles a separate fix for a Remote Code Execution (RCE) vulnerability in a third party package, so upgrading to this build addresses two distinct security issues at once.
At its core, the fix applies proper validation and sanitization of user supplied input within the query report module, closing the SQL injection vector and preventing privilege escalation from Password Auditor to Privileged Administrator.
Upgrade Procedure
Before applying the upgrade packs, administrators must perform a complete backup of the installation folder and store it in a separate location. If the deployment uses a Microsoft SQL Server as the backend database, a full database backup is also required prior to the upgrade. Once the upgrade completes successfully, administrators should delete these backups.
Download the latest upgrade packs from the vendor's official pages:
- Password Manager Pro: Upgrade Pack
- PAM360: Upgrade Pack
Affected Systems and Versions
The following product versions are confirmed vulnerable:
- ManageEngine Password Manager Pro: Versions 8600 through 13230
- ManageEngine PAM360: All versions up to and including 8530
Organizations running any version within these ranges should upgrade to the fixed builds (Password Manager Pro 13231 or PAM360 8531) as soon as possible.
Vendor Security History
ManageEngine's PAM360 and Password Manager Pro product lines have a documented pattern of SQL injection vulnerabilities over the past several years:
- CVE-2024-5546: SQL injection, fixed in version 7001 on June 14, 2024
- CVE-2022-47523: SQL injection, fixed in version 5801 on December 28, 2022
- CVE-2022-43671 and CVE-2022-43672: SQL injection flaws, fixed in version 5711 on October 22, 2022
- CVE-2022-40300: SQL injection, fixed in version 5600 on September 11, 2022
This recurring pattern across multiple years reinforces the need for organizations using these products to maintain strict patch management practices and continuously monitor ManageEngine's security advisories.
References
- NVD Entry for CVE-2026-5785
- ManageEngine Advisory for CVE-2026-5785
- ManageEngine PAM360 Issues Fixed
- Password Manager Pro Release Notes
- PAM360 Release Notes
- ManageEngine Community Advisory for Password Manager Pro
- Query Reports Documentation
- Password Manager Pro Upgrade Pack
- PAM360 Upgrade Pack
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command
