Users of multiple Zoho ManageEngine products are under urgent advice to install the patch issued October 27, 2022. The advice is urgent because on January 13, 2023 the Horizon3 Attack Team tweeted that Proof of Concept (PoC) code and a deep-dive blog will be released within a week.
A long list of vulnerable ManageEngine products and their fixed version can be found in the ManageEngine advisory. Clicking on the URLs under Fixed Version(s) behind the affected product takes you to the update instructions for that product.
The vulnerability, listed under CVE-2022-47966, is described as an unauthenticated remote code execution vulnerability. The vulnerability is caused by the use of an outdated third-party dependency, Apache Santuario. Apache Santuario is used for XML syntax and processing. The vulnerability allows a successful attacker remote code execution with SYSTEM level access, meaning the entire system could be compromised.
Zoho used Security Assertion Markup Language (SAML) to simplify the authentication process. SAML is an open standard used for authentication and based upon the Extensible Markup Language (XML) format.
According to Horizon3:
The vulnerability is easy to exploit and a good candidate for attackers to “spray and pray” across the internet.
An attacker would need to send a specially crafted SAML request to trigger the exploit.
Please note that depending on the specific ManageEngine product, this vulnerability is exploitable if SAML single-sign-on is enabled or has ever been enabled. So, even if you do not currently have SAML enabled, you are under advice to install the patch with priority.
A Shodan scan performed by the researchers showed 5255 exposed instances of ServiceDesk Plus of which 509 have SAML enabled, and 3105 exposed instances of Endpoint Central, of which 345 have SAML enabled. At the moment we have no knowledge of active attacks against this vulnerability, but that might change rapidly once the PoC code is available.
In September, 2022, an RCE vulnerability affecting Zoho ManageEngine PAM360 (versions 5500 and earlier), Password Manager Pro (versions 12100 and earlier), and Access Manager Plus (versions 4302 and earlier) were found to be being actively exploited after several PoCs and a Metasploit module for it were made public.
IOCs for ServiceDesk Plus, Endpoint Central, and Other ManageEngine Products can be found in the blogpost by Horizon3 about this vulnerability.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.