Rapid7, a cloud-based risk management and threat detection company, has reported that it has observed an increase in cyber attacks that exploit a recently discovered vulnerability in Zoho ManageEngine. The vulnerability, tracked as CVE-2022-47966, is a security defect that exists in a third-party dependency (Apache xmlsec, also known as XML Security for Java, version 1.4.1) and allows attackers to execute arbitrary code remotely without authentication. The vulnerability was deemed "critical" in terms of severity and was first reported by Zoho in November 2022.
Automated penetration testing firm Horizon3.ai had previously warned that there were at least a thousand vulnerable ManageEngine products exposed to the internet and that they were all susceptible to spray and pray attacks. Horizon3.ai also published a proof-of-concept (PoC) exploit targeting the issue. Rapid7 now reports that it has been responding to incidents of compromise resulting from the active exploitation of the vulnerability. The attacks appear to have started even before Horizon3.ai released its PoC exploit.
Rapid7 has stated that some of the impacted products, including ADSelfService Plus and ServiceDesk Plus, are highly popular among organizations and have been known to be targeted in previous attacks. Other impacted products include Access Manager Plus, Active Directory 360, ADAudit Plus, ADManager Plus, Application Control Plus, Device Control Plus, Endpoint Central, Endpoint Central MSP, PAM 360, Password Manager Pro, Remote Monitoring and Management (RMM), SupportCenter Plus, and Vulnerability Manager Plus.
In light of these findings, Rapid7 advises organizations to update their systems immediately and review unpatched systems for signs of compromise. Exploit code for the vulnerability is publicly available and attacks have already begun. Additionally, threat intelligence firm GreyNoise has also reported seeing attacks exploiting the vulnerability.
Comments