CVE-2022-24447 in Key Manager Plus
Summary
by MITRE • 03/02/2022
An issue was discovered in Zoho ManageEngine Key Manager Plus before 6200. A service exposed by the application allows a user, with the level Operator, to access stored SSL certificates and associated key pairs during export.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/30/2025
The vulnerability identified as CVE-2022-24447 represents a critical access control flaw within Zoho ManageEngine Key Manager Plus version 6200 and earlier. This issue stems from improper privilege validation mechanisms that allow users with the Operator role to bypass normal security boundaries and access sensitive cryptographic materials. The flaw exists within the application's service architecture where certificate export functionality does not properly enforce role-based access controls, creating an unauthorized access vector that could compromise the security posture of organizations relying on this key management solution.
The technical implementation of this vulnerability manifests through the application's service layer that handles certificate export operations. When an Operator-level user attempts to export SSL certificates and their associated private key pairs, the system fails to validate whether the user possesses the necessary administrative privileges required for such sensitive operations. This misconfiguration allows the service to return certificate data regardless of the user's actual permission level, effectively creating a privilege escalation path that violates fundamental security principles of least privilege and principle of least privilege enforcement. The vulnerability specifically affects the export functionality where certificate data is retrieved from the system's key store without proper authorization checks.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential cryptographic compromise and regulatory violations. Organizations using affected versions of Key Manager Plus may face significant security risks including certificate theft, man-in-the-middle attacks, and potential data breaches if attackers exploit this vulnerability to obtain private keys. The exposure of private key pairs alongside certificates creates a complete cryptographic compromise that could allow attackers to impersonate services, decrypt sensitive communications, and establish persistent access to network resources. This vulnerability directly impacts compliance with security frameworks such as pci dss, hipaa, and soc 2 requirements that mandate proper protection of cryptographic keys and certificates.
Mitigation strategies for CVE-2022-24447 should prioritize immediate patch deployment to version 6200 or later where the access control mechanisms have been properly implemented. Organizations should also implement network segmentation to limit access to the Key Manager Plus service to only authorized administrative users and establish monitoring for unauthorized certificate export attempts. Additional controls include implementing role-based access reviews, enforcing multi-factor authentication for administrative functions, and conducting regular security assessments of key management systems. This vulnerability aligns with CWE-284 which addresses improper access control and ATT&CK technique T1552.004 which covers credentials from password storage repositories, highlighting the need for comprehensive key management security controls and proper privilege validation mechanisms.