Proof-of-concept exploit code is now available for a remote code execution (RCE) vulnerability in multiple Zoho ManageEngine products.
This pre-authentication RCE flaw is tracked as CVE-2022-47966 and stems from using an outdated and vulnerable version of the Apache Santuario library.
Unauthenticated threat actors can execute arbitrary code on ManageEngine instances following successful exploitation if the SAML-based single-sign-on (SSO) is or was enabled at least once before the attack.
Vulnerable software includes almost all ManageEngine products, but they’ve already been patched in several waves starting on October 27, 2022, by updating the third-party dependency to a secure version.
Access Manager Plus
Active Directory 360
Password Manager Pro
Application Control Plus
Patch Manager Plus
Browser Security Plus
Device Control Plus
Remote Monitoring and Management (RMM)
Endpoint Central MSP
Remote Access Plus
Key Manager Plus
ServiceDesk Plus MSP
Vulnerability Manager Plus
Horizon3 security researchers released a proof-of-concept (PoC) exploit and technical analysis for the vulnerability earlier today, following a Thursday warning that a CVE-2022-47966 PoC will be available later this week.
“The vulnerability allows an attacker to gain remote code execution by issuing a HTTP POST request containing a malicious SAML response,” the researchers said.
“This POC abuses the pre-authentication remote code execution vulnerability to run a command with Java’s Runtime.exec method,” they added.
The PoC exploit was tested against ServiceDesk Plus and Endpoint Central, and Horizon3 “expect this POC to work unmodified on many of the ManageEngine products that share some of their codebase with ServiceDesk Plus or EndpointCentral.”
Horizon3 has previously released exploit code for other critical security flaws in several different products, including:
CVE-2022-28219, a critical flaw in Zoho ManageEngine ADAudit Plus that lets attackers compromise Active Directory accounts,
CVE-2022-1388, a critical vulnerability allowing remote code execution in F5 BIG-IP networking devices,
and CVE-2022-22972, a critical authentication bypass bug in multiple VMware products that can let threat actors gain admin privileges.
Incoming ‘spray and pray’ attacks
Last week, Horizon3 researchers also warned of a potential wave of attacks after the PoC exploit is released since “the vulnerability is easy to exploit and a good candidate for attackers to ‘spray and pray’ across the Internet.”
They found thousands of unpatched ServiceDesk Plus and Endpoint Central servers exposed online via Shodan, with an estimated 10% of all detected devices exposed to CVE-2022-47966 attacks because they have SAML enabled.
While there are no reports of attacks leveraging this vulnerability and no attempts to exploit it in the wild, threat actors will likely move quickly to develop custom RCE exploits based on Horizon3’s PoC code.
In recent years, financially motivated and state-backed threat groups have heavily targeted Zoho ManageEngine servers.
For instance, threat actors also sold access to breached organizations’ networks on hacking forums after compromising Internet-exposed Desktop Central instances in July 2020.
Between August and October 2021, they were the target of a campaign orchestrated by nation-state hackers with tactics, techniques, and procedures (TTPs) similar to those of the Chinese APT27 hacking group.
Following these and other attacks targeting ManageEngine, CISA and the FBI issued two joint advisories [1, 2] to warn of state-backed attackers exploiting ManageEngine bugs to backdoor critical infrastructure organizations.