Horizon3.ai researchers have urged Zoho ManageEngine users to patch their software against a critical security vulnerability (tracked CVE-2022-47966) after designing and releasing a proof-of-concept (PoC) exploit code.
Writing in the company’s blog last Friday, Horizon3.ai researcher and exploit developer James Horseman said the team has successfully reproduced the exploit and is now providing additional insight into the vulnerability to help users determine if they have been compromised.
Patched by Zoho between the last week of October and the first of November 2022, the bug affects multiple Zoho ManageEngine products. It can be exploited over the internet to launch remote code execution (RCE) exploits if security assertion markup language (SAML) single sign-on (SSO) is enabled or has been enabled before.
“Once an attacker has SYSTEM-level access to the endpoint, attackers are likely to begin dumping credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement,” Horseman explained.
“Shodan data shows that there are likely more than a thousand instances of ManageEngine products exposed to the internet with SAML currently enabled.”
The company added that organizations that use SAML, generally speaking, tend to be larger and more mature and are likely to be higher-value targets for attackers.
“ManageEngine products have been highly targeted in the past several years by threat actors to gain initial access.”
Horizon3.ai has also released Indicators of Compromise (IOCs) associated with the flaw and is urging customers to update their instances before threat actors exploit it.
“We encourage all ManageEngine users to heed the ManageEngine advisory and patch immediately,” Horseman warned.
“We want to highlight that in some cases, the vulnerability is exploitable even if SAML is not currently enabled but was enabled sometime in the past. The safest course of action is to patch regardless of the SAML configuration of the product.”
More information about SAML and identity management is available in this analysis by JumpCloud CTO Greg Keller.