A previously patched, critical vulnerability in Zoho ManageEngine, which offers enterprise IT management software, is now being exploited, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The unauthenticated remote code execution bug (CVE-2022-35405) exists in several Zoho ManageEngine tools for managing privileged accounts and their access. Specifically, ManageEngine Password Manager Pro before 12101 and PAM360 (ManageEngine’s privileged access management program) before 5510 are vulnerable (ManageEngine Access Manager Plus before 4303 is also affected but an attacker would need previous authentication).
“CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation,” according to CISA’s Thursday alert. “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.”
Zoho fixed the flaw in June by removing the vulnerable components from PAM360 and Access Manager Plus, as well as removing the vulnerable parser from Password Manager Pro. However, a proof-of-concept (POC) exploit for the flaw is available, and customers are strongly recommended "to upgrade the instances of Password Manager Pro, PAM360 and Access Manager Plus immediately,” according to Zoho's advisory.
CISA did not provide further details about how the flaw is being exploited and how widespread exploitation efforts are. Bob Rudis, VP of data science with GreyNoise, said GreyNoise started seeing exploitation attempts for CVE-2022-35405 on Sept. 7, "but has not seen widespread exploitation attempts since those initial ones."
The ManageEngine platform has previously been a popular attack vector for threat groups, with APT groups in December targeting a months-old remote code execution vulnerability in ManageEngine ServiceDesk Plus in order to upload malicious files, drop webshells and other malicious activities. In November, the U.S. government also warned that APT actors were using several different tools in attacks exploiting an authentication bypass flaw in the Zoho ManageEngine ADSelfService Plus password management application.
Per CISA’s previously issued binding operational directive (BOD 22-01), federal agencies have until Oct. 13 to fix the bug on its Known Exploited Vulnerabilities catalog.
However, “although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice,” according to CISA.