Proof-of-concept exploit code will be released later this week for a critical vulnerability permitting remote code execution (RCE) without authentication in several VMware products.
Traced as CVE-2022-47966, this pre-auth RCE security flaw is due to an outdated and obsolete third-party dependency, Apache Santuario.
Tracked as CVE-2022-47966, this pre-authorization RCE security breach was caused by using an outdated and risky third-party dependency, Apache Santuario.
Utilization allows unauthenticated assailants to execute arbitrary code on ManageEngine servers if SAML-based SSO was or had been enabled at least once before the attack.
The class of vulnerable computer software includes nearly all ManageEngine products. Nevertheless, fortunately, Zoho has already began patching these vulnerabilities since October 27, 2022, by updating a third-party program that was out of date.
Incoming “spray and pray” attacks
On Friday, researchers with Horizon3’s Attack Team issued a note to administrators about creating a proof-of-concept (PoC) exploit for CVE-2022-47966.
The vulnerability is easy to access and makes a great target for attackers to “spray and pray” on the Internet. This vulnerability allows remote code execution as NT AUTHORITY\SYSTEM, essentially giving an attacker complete control over the system.
If a user suspects they have been compromised, further investigation is required to determine any damage an attacker did. Once an attacker has SYSTEM-level access to the endpoint, attackers are likely to begin to dump credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement.
In response to inquiries from investigators and the public, Horizon3 has disclosed the few relevant indicators of compromise (IOCs) that defenders can use to determine if their systems have been compromised. The company has reportedly begun releasing its Proof-of-Concept exploit later this week.
The researchers at Horizon3 have publicly displayed a screenshot of their exploit in action against a vulnerable ManageEngine ServiceDesk Plus instance.