Proof-of-concept exploit code will be released later this week for a critical vulnerability permitting remote code execution (RCE) without authentication in several VMware products.
Traced as CVE-2022-47966, this pre-auth RCE security flaw is due to an outdated and obsolete third-party dependency, Apache Santuario.
Tracked as CVE-2022-47966, this pre-authorization RCE security breach was caused by using an outdated and risky third-party dependency, Apache Santuario.
Utilization allows unauthenticated assailants to execute arbitrary code on ManageEngine servers if SAML-based SSO was or had been enabled at least once before the attack.
The class of vulnerable computer software includes nearly all ManageEngine products. Nevertheless, fortunately, Zoho has already began patching these vulnerabilities since October 27, 2022, by updating a third-party program that was out of date.
On Friday, researchers with Horizon3’s Attack Team issued a note to administrators about creating a proof-of-concept (PoC) exploit for CVE-2022-47966.
The vulnerability is easy to access and makes a great target for attackers to “spray and pray” on the Internet. This vulnerability allows remote code execution as NT AUTHORITY\SYSTEM, essentially giving an attacker complete control over the system.
If a user suspects they have been compromised, further investigation is required to determine any damage an attacker did. Once an attacker has SYSTEM-level access to the endpoint, attackers are likely to begin to dump credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement.
In response to inquiries from investigators and the public, Horizon3 has disclosed the few relevant indicators of compromise (IOCs) that defenders can use to determine if their systems have been compromised. The company has reportedly begun releasing its Proof-of-Concept exploit later this week.
The researchers at Horizon3 have publicly displayed a screenshot of their exploit in action against a vulnerable ManageEngine ServiceDesk Plus instance.
Horseman detected two vulnerable ManageEngine products in ServiceDesk Plus and Endpoint Central, for a total of over 4,500 unpatched servers exposed online through Shodan.
There were many ManageEngine products impacted by CVE-2022-47966 attacks, and as high as tens of them were protected by SAML.
The vulnerability this vulnerability was utilized for has not yet been disclosed to the public by any cybersecurity company, and hackers will very likely act swiftly to exploit the platform once Horizon3 publishes its proof-of-concept (PoC) code.
Zoho ManageEngine websites were repeatedly attacked by nation-state hackers between August and October 2021, using the same techniques and tools of the earlier Chinese APT27 hacking group.
In July 2020, several instances of DesktopCentral were hacked, with criminals selling access to breached organizations’ network infrastructures on hacking forums.
In the wake of particular attacks and joint FBI and CISA alerts, the US government issued bulletins [1, 2] warning officers and experts of worth mentioning that ManageEngine software program vulnerabilities were being exploited for backdooring critical infrastructure systems.
Found this article interesting? Follow Terraeagle on Facebook, Twitter, and LinkedIn to read more exclusive content we post.