CVE-2025-11669
Authorization Bypass in ManageEngine PAM360 and Related Products
Publication date: 2026-01-13
Last updated on: 2026-02-02
Assigner: ManageEngine
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zohocorp | pam360 | to 8202 (exc) |
| zohocorp | password_manager_pro | to 13221 (exc) |
| zohocorp | access_manager_plus | to 4401 (exc) |
| zohocorp | manageengine_pam360 | to 8.2 (inc) |
| zohocorp | manageengine_pam360 | 8.2 |
| zohocorp | manageengine_access_manager_plus | to 4.4 (inc) |
| zohocorp | manageengine_access_manager_plus | 4.4 |
| zohocorp | manageengine_password_manager_pro | to 13.2 (inc) |
| zohocorp | manageengine_password_manager_pro | 13.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11669 is a high-severity authorization vulnerability in ManageEngine's Password Manager Pro, PAM360, and Access Manager Plus. It allows authenticated users to initiate remote sessions to any resource managed by these products, as long as those resources are accessible from the servers where the products are installed. This means users with some level of access can potentially access resources they should not be authorized to use. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to critical resources by authenticated users, potentially exposing sensitive data or systems. Since it allows initiation of remote sessions without proper authorization checks, it can result in privilege escalation and compromise of confidentiality and integrity of managed resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Users should download and apply the latest upgrade packs from ManageEngine’s official upgrade pages to update PAM360 to build 8202 or later, Password Manager Pro to build 13221 or later, and Access Manager Plus to build 4401 or later. For further assistance, users can contact ManageEngine support via the provided emails. [1]