Zoho ManageEngine users are being advised to urgently apply security patches to their systems due to a critical vulnerability identified as CVE-2022-47966. This flaw opens the door for unauthenticated remote code execution, raising significant security concerns ahead of the anticipated release of proof-of-concept (PoC) exploit code.
This vulnerability has been traced back to an outdated third-party component, Apache Santuario, employed across various ManageEngine products. As highlighted by Zoho in an advisory released last year, the flaw primarily impacts organizations that have enabled, or previously enabled, the SAML single sign-on (SSO) feature in their ManageEngine configurations.
Horizon3.ai has progressed the discussion by sharing Indicators of Compromise (IOCs) related to this vulnerability, confirming successful replication of the exploit against the ManageEngine ServiceDesk Plus and Endpoint Central products. Researcher James Horseman remarked on the ease of exploiting this vulnerability, making it a prime candidate for widespread attacks. He emphasized that an attacker could execute code with NT AUTHORITY\SYSTEM permissions, thereby gaining unrestricted control over the affected system.
With these escalated privileges, attackers can leverage the vulnerability to hijack credentials and execute lateral movements within a network, a tactic underscored within the MITRE ATT&CK framework under techniques such as privilege escalation and initial access. To initiate this exploit, a specially crafted SAML request must be sent, exposing numerous organizations to systemic risks.
Horizon3.ai also revealed that over 1,000 instances of ManageEngine products currently exposed to the internet are running with SAML activated, further highlighting their appeal as targets for malicious actors. Given the rising trend of cyber adversaries utilizing known vulnerabilities for their campaigns, the urgency for organizations to patch their systems cannot be overstated.
Update: PoC Exploit Released
A formal release of the exploit for CVE-2022-47966 has been made available by Horizon3.ai, which demonstrates how an attacker can execute remote commands through a malicious SAML response sent via a HTTP POST request. Rapid7 has reported on various security compromises attributed to the exploitation of this vulnerability, noting a surge of incidents from at least January 17, 2023.
Threat actors have been observed using this vulnerability to deploy PowerShell scripts that disable Microsoft Defender Antivirus’s real-time protections while retrieving various remote access tools. According to Rapid7 researcher Glenn Thorpe, organizations utilizing affected products must prioritize immediate updates and monitor for signs of compromise in unpatched systems since the existence of publicly available exploit code amplifies the potential for breaches.
In summary, as vulnerabilities such as CVE-2022-47966 come to light, the combination of technical readiness and proactive measures becomes vital for organizations to safeguard their operations against emerging cyber threats. The intricate interplay between privilege escalation tactics and strategic exploitation exemplifies the continually evolving landscape of cybersecurity challenges.