What Do You Need to Know About the Critical RCE Vulnerability in Zoho’s ManageEngine? (CVE-2022-47966)
CVE-2022-47966, a critical vulnerability in a number of Zoho’s products, allows remote code execution without authentication. The use of a vulnerable third-party dependency called Apache Santuario is the root cause that enables the exploitation of the remote code execution vulnerability.
Every ManageEngine server that has at least once enabled SAML-based single-sign-on (SSO) is vulnerable to exploitation, whether it is active at the time of the attack or not.
An attacker could gain full control of the system by exploiting the CVE-2022-47966 vulnerability, which could enable an attacker to execute arbitrary code as NT AUTHORITYSYSTEM, a local account with very high privileges.
According to researchers, the vulnerability is simple to exploit and a good fit for spray and pray attacks. An attacker with System level access could dump credentials with LSASS (Local Security Authority Server Service) or choose to use other tools to obtain the credentials stored on the application, in order to move laterally.
Products Impacted by CVE-2022-47966
CVE-2022-47966 impacts all versions listed below and earlier. (*Exception)
Access Manager Plus
Active Directory 360
Application Control Plus
Browser Security Plus
Key Manager Plus
Password Manager Pro
Remote Monitoring and Management
ServiceDesk Plus MSP
11017 to 11025*
Is There a Proof-of-Concept for CVE-2022-47966?
Horizon3 has a proof-of-concept (PoC) exploit code that will be released this week; it is recommended that any vulnerable instances are patched before the PoC for the CVE-2022-47966 vulnerability is made public.
Is CVE-2022-47966 Under Active Exploitation?
There are no reports of the CVE-2022-47966 vulnerability being actively exploited, but it is at risk of being exploited once the PoC is made available.
It is known that Zoho’s ManageEngine products have previously been targeted by attackers to exploit various types of vulnerabilities. A previous remote code execution vulnerability (CVE-2022-35405) was added to CISA’s catalog to urge the patching in September 2022.
Is There a Mitigation Available?
Zoho has patched the vulnerable ManageEngine products, starting late October 2022, by updating the out-of-date dependency. To prevent attacks, it is strongly advised to patch the affected products. The ManageEngine advisory for CVE-2022-47966 can be found here.
How Can SOCRadar Help?
Follow the latest vulnerabilities on Vulnerability Intelligence via SOCRadar, be aware of recent risks, and better prioritize your actions. SOCRadar collects information on all vulnerabilities and presents it to you in an actionable format, in an easier-to-manage feed, and notifies you by ASM in case a vulnerability affects your organization.