Cybersecurity researchers from the Horizon3 Attack Team have published a proof-of-concept (POC) vulnerability that exists in many VMware products.
According to the report, the CVE-2022-47966 vulnerability could allow an attacker to remotely execute code without authentication in ManageEngine servers that have the same-based single sign-on (SSO) protocol enabled at some point in the past, so turning off the feature would not solve any problems.
The researchers note that the vulnerable endpoint uses an outdated third-party dependency called Apache Santuario, which is what allows an attacker to remotely execute code through the NT AUTHORITY\SYSTEM identity, thereby taking full control of the system.
As it stands, the vulnerability is easy to exploit and is a favorable way for attackers to “‘spray and pray” online. The vulnerability allows remote execution of code as NT AUTHORITY\SYSTEM, essentially allowing an attacker to take full control of the system,” the researchers warned.
“If a user determines that their information has been compromised, additional investigation is required to determine the damage caused by the attacker. Once an attacker gains system-level access to an endpoint, the attacker may begin to perform lateral transfers by dumping credentials via LSASS or by leveraging existing public tools to access stored application credentials.”
Zoho has now released the corresponding patch, so users who need it should download it as soon as possible.
It is worth mentioning that researchers searching through Shodan for unpatched endpoints still found “thousands” of vulnerable instances of the ManageEngine product, ServiceDesk Plus and Endpoint Central, so we hope you will be vigilant.
There have been no reports of malicious exploitation of CVE-2022-47966 in the industry, but if IT administrators choose to ignore this vulnerability, there will be victims sooner rather than later.
