As of 20 January 2023, Bitdefender Labs noticed a global increase in attacks involving the ManageEngine exploit no. CVE-2022-47966. The vulnerability allows remote code execution (RCE) and has therefore received a CVSSv3 criticality rating of 9.8/10. A total of 24 different Zoho ManageEngine products are vulnerable.
The vulnerability was discovered by Khoa Dinh of VCSLab. It allows unauthenticated remote code execution due to the use of a deprecated third-party dependency for validating the XML signature, Apache Santuario. This library’s vulnerability was identified almost 15 years ago (in March 2008). The compromised library is used only if SAML SSO is or was enabled. SAML is a more than 20-year-old authentication standard where authentication traffic goes through the requesting customer.
Based on a simple analysis (e.g., on Shodan), it can be concluded that between 2,000 and 4,000 servers accessible from the Internet, use one of the vulnerable versions. Not all of these servers can be used with the current PoC code, as SAML must be configured on them.
The attackers first identify the RCE security vulnerability (preferably using a public PoC example), and then use automated scanners to detect vulnerable systems and automatically compromise them (‘spray-and-pray’ tactics).
The screen below shows the number of attacks carried out using this exploit in the last 1, 7, 30 and 90 days (from The Shadowserver Foundation).
Source:
CVE-2022-47966 – RCE in Numerous ManageEngine Products
ManageEngine CVE-2022-47966 Technical Deep Dive
IoC:
Flash Notice: UPDATE – Zoho ManageEngine Vulnerability Exploited in the Wild
