The Cybersecurity and Infrastructure Security Agency (CISA) has added a remote code execution (RCE) affecting most Zoho ManageEngine products to its catalog of bugs known to be exploited in the wild.
This security flaw is tracked as CVE-2022-47966 and was patched in several waves starting on October 27th, 2022.
Unauthenticated threat actors can exploit it if the SAML-based single-sign-on (SSO) is or was enabled at least once before the attack to execute arbitrary code.
Last week, Horizon3 security researchers released a technical analysis with proof-of-concept (PoC) exploit code and warned of incoming ‘spray and pray’ attacks.
They found over 8,300 Internet-exposed ServiceDesk Plus and Endpoint Central instances and estimated that roughly 10% of them are also vulnerable.
One day later, multiple cybersecurity companies warned that unpatched ManageEngine instances exposed online are now targeted with CVE-2022-47966 exploits in ongoing attacks to open reverse shells.
Post-exploitation activity seen by Rapid7 security researchers shows that attackers are disabling real-time malware protection to backdoor compromised devices by deploying remote access tools.
Picking up exploitation attempts from at least 10 IPs for CVE-2022-47966 unauthenticated RCE affecting multiple Zoho ManageEngine products (that have SAML SSO enabled).
Make sure to update to fixed versions as specified in the ManageEngine advisoryhttps://t.co/BIRlXnHkAT
— Shadowserver (@Shadowserver) January 19, 2023
All orgs urged to prioritize patching
All Federal Civilian Executive Branch Agencies (FCEB) agencies must patch their systems against this actively exploited bug after it was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, according to a binding operational directive (BOD 22-01) issued in November 2021.
The federal agencies have three weeks, until February 13th, to ensure that their networks are secured against ongoing exploitation attempts.
Although BOD 22-01 only applies to U.S. FCEB agencies, the cybersecurity agency also strongly urged all organizations from private and public sectors to prioritize patching this vulnerability.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise,” CISA said on Monday.
In September, CISA ordered federal agencies to patch another critical flaw (CVE-2022-35405) in several Zoho ManageEngine products that allows for unauthenticated remote code execution following successful exploitation.
A Metasploit module (that helps gain RCE as the SYSTEM user) and proof-of-concept (PoC) exploit code targeting CVE-2022-35405 have been available online since August.
CISA and the FBI previously warned (1, 2) that state-backed groups are exploiting ManageEngine flaws to target organizations from multiple critical infrastructure sectors, including financial services and healthcare.