Security researchers have issued a warning about the Pre-authentication RCE Vulnerability, CVE-2022-47966, in Zoho ManageEngine, which is likely to lead to ‘Spray and pray’ attacks across the internet.
The RCE Vulnerability includes ServiceDesk Plus 14003 and Endpoint Central 10.1.2228.10.
Several Zoho ManageEngine products are affected by this vulnerability, patched by Zoho last November, and can be exploited over the internet if SAML single sign-on is enabled.
Enterprises hugely use ManageEngine products to perform the business functions such as identity management, authorization, authentication, and more. According to Zoho, ManageEngine is used by 280,000 organizations in 190 countries.
As a result, a vulnerability like this poses a critical security risk to organizations, allowing attackers to gain initial access and move laterally using highly privileged credentials.
Horizon3.ai says, “Once an attacker has SYSTEM level access to the endpoint, attackers are likely to begin dumping credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement.”
As per Shodan data, ManageEngine products with SAML enabled are probably exposed to the internet in more than a thousand instances.
Although Zoho released the patches for the affected products in October last year, only some were patched.
On the same, Horizon3.ai red-teamer James Horseman says, “We expect some ManageEngine clients to have already patched, but given how slow enterprise patch cycles can be, we expect that there are many who have not yet patched.”
James continues to say that while SAML is not currently enabled, the vulnerability can still be exploited if it was enabled at some point in the past. It will be best to patch all the affected products soon.
To stay updated with similar helpful information about day-to-day technology, follow us on our different social media platforms YouTube, LinkedIn, Facebook, Twitter, and Instagram.
