CVE-2022-24446 is a security vulnerability identified in Zoho ManageEngine Key Manager Plus version 6.1.6. The vulnerability allows a user assigned the role of 'Operator' to view all SSH servers and associated user information within the system, regardless of whether those servers or users are explicitly assigned or associated with that operator. This represents an authorization bypass issue where access controls fail to properly restrict visibility of sensitive infrastructure details based on user roles and permissions. Key Manager Plus is a privileged access management (PAM) solution designed to securely manage SSH keys and credentials across enterprise environments. Operators typically have limited privileges intended to restrict their visibility and actions to only specific assets or users. However, due to this flaw, operators can gain unauthorized access to sensitive information about all SSH servers and user accounts managed by the platform. This information disclosure can aid attackers or malicious insiders in reconnaissance activities, enabling them to identify critical systems and user credentials to target for further exploitation. Although the vulnerability does not appear to allow direct modification or control over the SSH servers or credentials, the exposure of this sensitive data undermines the principle of least privilege and increases the risk of lateral movement or privilege escalation within the network. The vulnerability does not have a CVSS score assigned and there are no known exploits in the wild as of the published date. No official patches or mitigations were linked in the provided information, indicating that organizations using the affected version should urgently review their access controls and consider compensating controls to limit exposure.

For European organizations, this vulnerability poses a significant risk to the confidentiality of critical infrastructure credentials and system information. Many enterprises and public sector entities in Europe rely on ManageEngine Key Manager Plus to manage privileged access securely. Unauthorized visibility into all SSH servers and user accounts can facilitate targeted attacks, including credential theft, lateral movement, and eventual compromise of sensitive systems. This is particularly concerning for sectors with stringent regulatory requirements such as finance, healthcare, and government, where unauthorized access to privileged credentials can lead to data breaches, operational disruption, and compliance violations under GDPR and other regulations. The exposure of SSH server and user details could also aid threat actors in crafting sophisticated phishing or social engineering campaigns. Although the vulnerability does not directly enable remote code execution or system takeover, the information disclosure significantly weakens the security posture and increases the attack surface. Organizations with large, distributed IT environments or those employing multiple operators with limited privileges are especially at risk, as the flaw effectively nullifies role-based access restrictions. The absence of a patch or fix at the time of disclosure further elevates the urgency for European organizations to implement alternative security measures to mitigate potential exploitation.

1. Immediate review and restriction of Operator role assignments: Limit the number of users assigned the Operator role and ensure that only fully trusted personnel hold this role. 2. Implement strict network segmentation and monitoring around Key Manager Plus servers to detect unusual access patterns or data exfiltration attempts. 3. Employ compensating controls such as additional authentication layers (e.g., multi-factor authentication) for accessing the Key Manager Plus console. 4. Regularly audit and monitor logs for unauthorized access or attempts to view SSH server and user information beyond assigned privileges. 5. If feasible, upgrade to a later version of Key Manager Plus where this vulnerability is addressed; if no patch is available, engage with the vendor for guidance or temporary workarounds. 6. Consider deploying external privileged access management or vaulting solutions to reduce reliance on a single tool with known vulnerabilities. 7. Educate operators and administrators about the risks of privilege escalation and the importance of adhering to least privilege principles. 8. Isolate the Key Manager Plus management interface from general user networks to reduce exposure. These steps go beyond generic advice by focusing on role management, monitoring, and compensating controls tailored to the specific nature of this vulnerability.