PoC for critical ManageEngine bug to be released, so get patching! (CVE-2022-47966)

If your enterprise is running ManageEngine products that were affected by CVE-2022-47966, check now whether they’ve been updated to a non-vulnerable version because Horizon3 will be releasing technical details and a PoC exploit this week.

CVE-2022-47966 PoC

GreyNoise has yet to detect in-the-wild exploitation attempts, but you better believe they are coming. “The vulnerability is easy to exploit and a good candidate for attackers to ‘spray and pray’ across the Internet,” vulnerability researcher James Horseman opined.

About CVE-2022-47966

CVE-2022-47966 is an unauthenticated remote code execution vulnerability that has been found by a researcher with Viettel Cyber Security in two dozen ManageEngine products, including Access Manager Plus, ADSelfService Plus, Endpoint DLP, Password Manager Pro, PAM360, ServiceDesk Plus, and others.

The source of the vulnerability was an outdated version of the Apache Santuario library, which provides implementation of security standards for XML. The vulnerability is only exploitable if SAML single sign-on is currently or has been previously enabled on those products, and can be exploited by crafting a SAML request with an invalid signature.

“This issue has been fixed by updating the third party module to the recent version,” ManageEngine shared. The company released fixed versions of each product throughout October and November 2022 and, hopefully, most organizations have already upgraded their installations.

Mitigate the risk and check for evidence of exploitation

Attackers often take advantage of flaws in Zoho’s ManageEngine offerings.

“ManageEngine products are some of the most widely used across enterprises and perform business functions such as authentication, authorization, and identity management. Given the nature of these products, a vulnerability such as this poses critical risk to organizations allowing attackers initial access, if exposed to the internet, and the ability for lateral movement with highly privileged credentials,” Horseman pointed out.

He and his colleagues have reproduced the CVE-2022-47966 exploit and have shared indicators of compromise (IoCs) that can help organizations’ defenders look for evidence of compromise.

“Once an attacker has SYSTEM level access to the endpoint, attackers are likely to begin dumping credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement. If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done,” he added.

Luckily for ManageEngine’s customers’, this vulnerability is still not being exploited and they can prevent being affected by it by upgrading products sooner rather than later.

UPDATE (January 19, 2023, 04:40 a.m. ET):

The researcher who unearthed the vulnerability has published additional technical details.

UPDATE (January 19, 2023, 09:20 a.m. ET):

And here’s Horizon3’s PoC and a technical post on how they found the vulnerability by analyzing its patch.

UPDATE (January 20, 2023, 09:40 a.m. ET):

Exploitation attempts have been flagged by GreyNoise and Shadowserver.

Rapid7 is currently “responding to various compromises arising from the exploitation of CVE-2022-47966.”

Share this