CVE-2022-24446 in Key Manager Plus
Summary
by MITRE • 03/01/2022
An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user, with the level Operator, can see all SSH servers (and user information) even if no SSH server or user is associated to the operator.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/30/2025
This vulnerability exists in Zoho ManageEngine Key Manager Plus version 6.1.6 where an operator user with limited privileges can bypass access controls to view all SSH servers and associated user information within the system. The flaw represents a critical authorization bypass issue that allows users with minimal permissions to gain visibility into resources they should not be able to access. The vulnerability stems from improper access control validation within the application's privilege management system, where the operator role should only have access to specific SSH servers and users assigned to their operational scope but instead receives unrestricted access to the entire SSH server inventory.
The technical implementation of this vulnerability demonstrates a failure in the application's data access layer where the system does not properly validate whether an operator user has legitimate authorization to view specific SSH server entries. This represents a classic case of insufficient authorization checks that aligns with CWE-285, which addresses improper authorization within software systems. The flaw occurs at the application logic level where the system fails to enforce proper access control boundaries between different user roles, allowing privilege escalation through information disclosure.
Operationally, this vulnerability poses significant security risks to organizations using Key Manager Plus for SSH key management and access control. An attacker or malicious operator could exploit this vulnerability to gain comprehensive visibility into all SSH infrastructure within the organization, potentially identifying critical systems, understanding network topology, and discovering user credentials and access patterns. The impact extends beyond simple information disclosure as it enables attackers to map the entire SSH ecosystem, which could lead to further exploitation opportunities including lateral movement and privilege escalation. This vulnerability directly impacts the principle of least privilege and violates fundamental security concepts outlined in the NIST Cybersecurity Framework.
Organizations should immediately implement mitigations including applying the latest security patches from Zoho, reviewing and hardening user role assignments, and implementing additional access controls through network segmentation. The vulnerability highlights the importance of proper role-based access control implementation and demonstrates the need for regular security testing including privilege escalation testing. Organizations should also consider implementing monitoring solutions to detect unusual access patterns that might indicate exploitation attempts. This vulnerability serves as a reminder of the critical importance of access control validation and proper privilege management in security-critical applications, aligning with ATT&CK technique T1078 which addresses valid accounts and privilege escalation. The flaw underscores the necessity of implementing defense-in-depth strategies that include multiple layers of access control validation to prevent unauthorized information disclosure.