WARNING: PROOF OF CONCEPT RELEASED FOR A CRITICAL UNAUTHENTICATED RCE IN ZOHO MANAGE ENGINE, PATCH IMMEDIATELY!
CVE-2022-47966 CVSS N/A (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Manage engine has a detailed overview of vulnerable & patched software: https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html
Zoho ManageEngine products are commonly implemented across organisations for authentication, authorization, and identity management.
CVE-2022-47966 poses a critical risk to organizations allowing attackers initial access and the ability for lateral movement with NT AUTHORITY\SYSTEM privileges.
CVE-2022-47966 is easily exploitable and could start “spray and pray” campaigns across the Internet.
Successful exploitation of CVE-2022-47966 has a HIGH impact on all vertices of the CIA triad (Confidentiality, Integrity, and Availability).
The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity. Organisations should investigate if they suspect an intrusion attempt.
Horzion3 has a list of Indicators of compromise (IOCs) available to check if the Proof of concept (PoC) is used against your network infrastructure: https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/.
If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.
UPDATE: It has been reported that unpatched ManageEngine instances exposed online are now targeted with CVE-2022-47966 in ongoing attacks to open reverse shells.
An unauthenticated remote attacker could gain remote code execution with high privilegeds after successfully exploiting CVE-2022-47966.
The flaw resides in an outdated third-party dependency called Apache Santuario, which allows an attacker to remotely execute code through the NT AUTHORITY\SYSTEM identity, thereby taking full control of the system.
Both financially motivated- and nation state threat actors frequently targeted Zoho ManageEngine servers throughout the past years. The Chinese-linked APT27 hacking group targeted vulnerable Zoho ManageEngine products between August and October 2021.
The Centre for Cyber Security Belgium strongly recommends Windows system administrators to take the following actions:
Update vulnerable Zoho ManageEngine instances to the most recent build available, as soon as possible: https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html.
Upscale monitoring and detection capabilities to detect any related suspicious activity to ensure a fast response in case of an intrusion. Organizations that identify any activity related to CVE-2022-47966 within their networks should act immediately.
Additionally, the FBI, CISA, and CGCYBER strongly recommend domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets if organizations have an indication that the NTDS.dit file is compromised.