Attackers are actively exploiting a recently disclosed critical remote code execution vulnerability (CVE-2022-47966) present in multiple ManageEngine products and researchers are warning organizations that have not yet updated their software to do so as quickly as possible.
A researcher with Viettel Cyber Security in Vietnam discovered the vulnerability and reported it to Zoho, the maker of the ManageEngine products, in October. The company released updates to address it a few days later, but the details of the flaw only became public in the last few days after Zoho released an advisory on Jan. 10. The vulnerability affects a long list of the company’s popular IT management software and is the result of using an outdated version of the Apache Santuario library for XML signature validation.
Although the fixed versions have been available for several months, concerns about the vulnerability have increased since the details of the bug became public. Exploitation of the bug gives an attacker remote code execution, and researchers at Horizon3 on Thursday released a proof-of-concept exploit for it, along with a detailed technical analysis of the flaw and the patch.
“The vulnerability is easy to exploit and a good candidate for attackers to 'spray and pray' across the Internet."
“Depending on the specific ManageEngine product, this vulnerability is exploitable if SAML single-sign-on is enabled or has ever been enabled. ManageEngine products are some of the most widely used across enterprises and perform business functions such as authentication, authorization, and identity management,” James Horseman of Horizon3 wrote in an analysis of the flaw.
“Given the nature of these products, a vulnerability such as this poses critical risk to organizations allowing attackers initial access, if exposed to the internet, and the ability for lateral movement with highly privileged credentials.”
On Thursday, Rapid7 researchers reported that the company had responded to several compromises resulting from exploitation of the ManageEngine vulnerability.
“Organizations using any of the affected products listed in ManageEngine’s advisory should update immediately and review unpatched systems for signs of compromise, as exploit code is publicly available and exploitation has already begun,” Glenn Thorpe of Rapid7 said in a post Thursday evening.
The ManageEngine products are widely deployed in a broad range of organizations and are used for critical IT management functions, including password management, Microsoft Entra ID management, and device control. The vulnerability affects products in which SAML SSO is either enabled at the moment or, for some products, had been in the past.
“The vulnerability is easy to exploit and a good candidate for attackers to “spray and pray” across the Internet. This vulnerability allows for remote code execution as NT AUTHORITY\SYSTEM, essentially giving an attacker complete control over the system. If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done,” Horseman said.