UPDATE 04/22/2023: Updated Appendix for Outbreak Alert. Added reference to CVE-2022-47966 being leveraged by a subgroup of the Mint Sandstorm APT.
FortiGuard Labs is aware of a report that Proof-of-Concept code for a critical Zoho ManageEngine RCE vulnerability is actively exploited was released to the public. Patched in October and November, 2022, the vulnerability affects multiple on-premise ManageEngine products and allows attackers to perform remote code execution with SYSTEM level privileges.
Why is this Significant?
Although a patch is available for the Zoho ManageEngine RCE vulnerability (CVE-2022-47966), proof -of-concept code is now available to the public and exploit attempts for CVE-2022-47966 are expected to pick up because of it. Patch should be applied as soon as possible.
What is CVE-2022-47966?
The vulnerability affects multiple on-premise ManageEngine products due to use of Apache Santuario. Successful exploitation of the vulnerability allows attackers to perform remote code execution with SYSTEM level privileges. The vulnerability exists only when Security Assertion Markup Language (SAML) Single Sing On (SSO) is enabled or was enabled depending on the Zoho ManageEngine products.
According to Microsoft, a subgroup of the alleged Iranian-based Mint Sandstorm APT group leveraged CVE-2022-47966.
Has the Vendor Released an Advisory for CVE-2022-47966?
Yes, the advisory is available. See the Appendix for a link to "Security advisory for remote code execution vulnerability in multiple ManageEngine products".
Which ManageEngine Products are Vulnerable to CVE-2022-47966?
Affected ManageEngine products are available in the advisory.
Has the Vendor Released a Patch for CVE-2022-47966?
Yes, a patch was released in October 27th, 28th, and November 11th in 2022 depending on the ManageEngine products.
What is the Status of Protection?
FortiGuard Labs released the following IPS signature in version 22.490 for CVE-2022-47966:
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus, Password Manager Pro and ADSelfService Plus, allow remote code execution due to the usage of an outdated third party dependency, Apache Santuario. Successful exploitation could lead to remote code execution and evidence of exploitation in the wild by Advanced Persistent Threat (APT) Groups.
TweetÂ by Horizon3 Attack Team (@Horizon3Attack)