In a blog, GitHub security researcher Alvaro Muñoz described the vulnerability -- which involved ManageEngine’s Password Manager Pro, access management tool PAM360, and Access Manager Plus, according to SC Media.
Muñoz reported the vulnerability – CVE-2020-9496 – to ManageEngine on June 21. The software vendor acknowledged the vulnerability, and issued a patch on June 24.
ManageEngine develops multiple tools for IT professionals, MSPs and MSSPs. Password Manager Pro has an MSP edition. It features a multi-tenant architecture, centralized management and auditing capabilities. The net result: An MSP or MSSP can manage multiple customers from a single dashboard.
CISA, FBI, UK Repeatedly Issue Ransomware Attack Warnings to MSPs
Still, multi-tenant MSP software provides a tempting target for hackers, since attacking one software platform can provide a doorway into multiple downstream customer systems.
Amid that backdrop, the CISA, FBI and UK authorities have repeatedly warned MSPs about inbound ransomware attacks.
The latest joint warning, issued in May 2022, included 12 tips to help MSPs reduce ransomware cyberattack threat risks. Separately, Microsoft issued a ransomware cyberattack warning to small businesses and their IT service providers in July 2022.