Researchers from Horizon3.ai have urged Zoho ManageEngine users to patch their software against a critical security vulnerability tracked CVE-2022-47966 after designing and releasing a PoC exploit code.
Exploit developer James Horseman said the team has successfully reproduced the exploit and is now providing additional insight into the vulnerability to help users determine if they have been compromised.
This vulnerability was patched by Zoho last year, the bug affects multiple Zoho ManageEngine products. It can be exploited over the internet to launch remote code execution exploits if security assertion markup language (SAML) single sign-on (SSO) is enabled or has been enabled before.
With the SYSTEM-level access to the endpoint, attackers are likely to begin dumping credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement.
Data from the Shodan, shows that there are thousands of instances of ManageEngine products exposed to the internet with SAML currently enabled.
- 5255 exposed instances of ServiceDesk Plus, of which 509 have SAML enabled
- 3105 exposed instances of Endpoint Central, of which 345 have SAML enabled
The company added that organizations that use SAML tend to be larger and more mature and are likely to be higher-value targets for attackers.
ManageEngine products have been a highly targeted by threat actors to gain initial access. So, its been recommended ManageEngine users to follow the advisory and patch it immediately