virus logo Outbreak Alert

Zoho ManageEngine RCE Vulnerability

Released: Apr 20, 2023

Download PDF »

Zoho ManageEngine RCE Vulnerability Tags

High Severity

Zoho Vendor

Subscribe

Multiple Zoho ManageEngine products exploited in the wild

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus, Password Manager Pro and ADSelfService Plus, allow remote code execution due to the usage of an outdated third party dependency, Apache Santuario. Successful exploitation could lead to remote code execution and evidence of exploitation in the wild by Advanced Persistent Threat (APT) Groups. Learn More »

Common Vulnerabilities and Exposures


Background

ManageEngine’s products are widely used across enterprises with broad suite of IT management software which perform several important business functions. Previously in 2021, we saw a different vulnerability, Zoho ManageEngine ServiceDesk Plus (CVE-2021-44077) exploited in the wild. Full Outbreak Report can be read here:
https://www.fortiguard.com/outbreak-alert/zoho-exploit

Click here to analyze the

Real-Time Threat Map

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


Jan 20, 2023: FortiGuard Labs released a Threat Signal Report on Proof-of-Concept Released for Zoho ManageEngine RCE vulnerability (CVE-2022-47966).
https://www.fortiguard.com/threat-signal-report/4954/

Jan 23,2023: FortiGuard Labs released an IPS signature (ID: 52571) to detect and block any attack attempts targeting CVE-2022-47966.


Jan 23, 2023: CISA added CVE-2022-47966 to its Known Exploited Vulnerabilities Catalog (KEV)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

April 18, 2023: Microsoft Threat Intelligence linked Mint Sandstorm, an Iranian government-backed threat actor to exploit Zoho ManageEngine vulnerability to gain initial access and targeting of US critical infrastructure.
https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/

Sept 7, 2023: CISA released a new advisory: Multiple Nation-State Threat Actors Exploiting Zoho ManageEngine vulnerabilities
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a


FortiGuard Labs recomends organizations using any of the affected products listed in ManageEngine’s advisory to update immediately as exploit code is publicly available and exploitation is in the wild.

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • Lure

  • Decoy VM

  • AV

  • AV (Pre-filter)

  • IPS

  • Web App Security

  • Post-execution

  • Botnet C&C

DETECT

  • Threat Hunting

  • IOC

  • Outbreak Detection

  • Content Update

RESPOND

  • Assisted Response Services

  • Automated Response

RECOVER

  • InfoSec Services

IDENTIFY

  • Attack Surface Monitoring (Inside & Outside)

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.