Unpatched Zoho MangeEngine Products Under Active Cyberattack

Several Zoho ManageEngine IT management products require patching against a critical unauthenticated remote code execution (RCE) that researchers warn is under active attack by malicious threat actors.

On Jan. 10, ManageEngine released an update against the bug, tracked under CVE-2022-47966, blaming it on “… an outdated third party dependence, Apache Santuario.”

The security advisory adds that any of the two dozen ManageEngine products impacted are vulnerable if single sign-on is, or has ever been, enabled.

By Jan. 13, researchers at Horizon.ai provided indicators of compromise (IoCs). Now GreyNoise has observed malicious actors attempting to exploit the RCE over the past three days.

“IP addresses with this tag have been observed attempting to exploit CVE-2022-47966, an unauthenticated remote command execution vulnerability in multiple Zoho ManageEngine products,” the security team reported.

Once the RCE is used to breach a system, that access could be used to create all sorts of havoc by threat actors, Horizon.ai analysts explained.

“ManageEngine products are some of the most widely used across enterprises and perform business functions such as authentication, authorization, and identity management,” the Horizon.ai researchers added. “Given the nature of these products, a vulnerability such as this poses critical risk to organizations allowing attackers initial access if exposed to the internet, and the ability for lateral movement with highly privileged credentials.”