Horizon3.ai researchers have informed Zoho ManageEngine users of a critical security vulnerability (tracked CVE-2022-47966) after designing and releasing a proof-of-concept (PoC) exploit code.
writing in company blog Last Friday, Horizon3.ai researcher and exploit developer James Horseman announced that the team had successfully reproduced the exploit and provided additional insight into the vulnerability to help determine if users were compromised. said to offer.
Patched by Zoho between the last week of October and the first week of November 2022, this bug affects multiple Zoho ManageEngine products. Security Assertion Markup Language (SAML) Single sign-on (SSO) is enabled or was previously enabled.
“Once an attacker gains system-level access to an endpoint, they can initiate credential dumping via LSASS or leverage existing exposure tools to access stored application credentials. and can move laterally,” explains Horseman.
“The Shodan data suggests there are probably over 1000 instances. Engine management Products that are currently exposed to the Internet with SAML enabled. “
The company added that, generally speaking, organizations using SAML tend to be larger and more mature, making them more likely to be high-value targets for attackers.
“The ManageEngine product has been highly targeted by threat actors over the past few years to gain initial access.”
Horizon3.ai has also released an Indication of Compromise (IOC) related to this vulnerability, urging customers to update their instances before attackers can exploit the vulnerability.
“We encourage all users of ManageEngine to take note of the ManageEngine advisory and apply the patch immediately,” warns Horseman.
“We would like to emphasize that even if SAML is not currently enabled, but was enabled in the past, in some cases the vulnerability could still be exploited. Applying patches regardless of SAML configuration.”
For more information on SAML and identity management, see This analysis JumpCloud CTO Greg Keller.
