CISA warns of critical ManageEngine RCE bug exploited in attacks

CISA

The Cybersecurity and Infrastructure Security Agency (CISA) has added a remote code execution (RCE) affecting most Zoho ManageEngine products to its catalog of bugs known to be exploited in the wild.

This security flaw is tracked as CVE-2022-47966 and was patched in several waves starting on October 27th, 2022.

Unauthenticated threat actors can exploit it if the SAML-based single-sign-on (SSO) is or was enabled at least once before the attack to execute arbitrary code.

Last week, Horizon3 security researchers released a technical analysis with proof-of-concept (PoC) exploit code and warned of incoming ‘spray and pray’ attacks.

They found over 8,300 Internet-exposed ServiceDesk Plus and Endpoint Central instances and estimated that roughly ​10% of them are also vulnerable.

One day later, multiple cybersecurity companies warned that unpatched ManageEngine instances exposed online are now targeted with CVE-2022-47966 exploits in ongoing attacks to open reverse shells.

​Post-exploitation activity seen by Rapid7 security researchers shows that attackers are disabling real-time malware protection to backdoor compromised devices by deploying remote access tools.

All orgs urged to prioritize patching

All Federal Civilian Executive Branch Agencies (FCEB) agencies must patch their systems against this actively exploited bug after it was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, according to a binding operational directive (BOD 22-01) issued in November 2021.

The federal agencies have three weeks, until February 13th, to ensure that their networks are secured against ongoing exploitation attempts.

Although BOD 22-01 only applies to U.S. FCEB agencies, the cybersecurity agency also strongly urged all organizations from private and public sectors to prioritize patching this vulnerability.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise,” CISA said on Monday.

In September, CISA ordered federal agencies to patch another critical flaw (CVE-2022-35405) in several Zoho ManageEngine products that allows for unauthenticated remote code execution following successful exploitation.

A Metasploit module (that helps gain RCE as the SYSTEM user) and proof-of-concept (PoC) exploit code targeting CVE-2022-35405 have been available online since August.

CISA and the FBI previously warned (12) that state-backed groups are exploiting ManageEngine flaws to target organizations from multiple critical infrastructure sectors, including financial services and healthcare.


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon using the button below

Digital Patreon Wordmark FieryCoralv2

To keep up to date follow us on the below channels.

join
Click Above for Telegram
discord
Click Above for Discord
reddit
Click Above for Reddit
hd linkedin
Click Above For LinkedIn