Skip to content

Patched Zoho ManageEngine bug is under threat of being exploited

  • by
  • 3 min read

A vulnerability affecting 24 Zoho ManageEngine products can be exploited by attackers for initial access to victim systems in addition to lateral network movement with highly privileged credentials.

Discovered by Horizon3 researchers who have warned against “spray and pray” attacks on vulnerable organisations using the ManageEngine suite, the vulnerability is tracked as CVE-2022-47966 and was patched by Zoho by the end of October 2022.

According to Zoho, its ManageEngine product suite is used by over 280,000 organisations across 190 countries worldwide. This puts many organisations at risk, especially if they haven’t patched their installations yet. 

Horizon3’s report points out: “given how slow enterprise patch cycles can be, we expect that there are many who have not yet patched”. In addition to the patch issued in November, Zoho has also issued an advisory on the matter, urging organisations to apply the patch as soon as possible. 

As for the vulnerability itself, it allows for remote code execution with system-level privileges, essentially giving an attacker full remote control of the system. Depending on the specific ManageEngine product, the vulnerability can be exploited if SAML single-sing-on (SSO) is enabled or has been enabled in the past. 

At the time of writing, researchers have discovered 5255 exposed instances of ServiceDesk Plus, with 509 having SAML enabled and 3105 exposed instances of Endpoint Central, with 345 having SAML enabled. These are just two of the 24 exposed products in the ManageEngine suite. 

Top 10 anti-virus apps for Android | Candid.Technology

Overall, there are likely thousands of exposed ManageEngine instances across the internet. Given the data mentioned above, Horizon3 estimates that roughly 10% of all ManageEngine products have SAML enabled. Organisations using SAML tend to be larger, more mature, and likely high-value targets for attackers. 

Vulnerabilities in Zoho products have also been added to CISA’s list of known vulnerabilities due to their severe nature. The CISA and FBI have issued alerts for vulnerabilities in ManageEngine Desktop Central and ManageEngine ServiceDesk Plus, tracked as CVE-2021-44515 and CVE-2021-44077, respectively. 

In the News: Nokia unveils T21 tablet starting at INR 17,999

Update 18/01 | 11:30 am: The headline and lede were edited. The article wrongly stated that the vulnerability was actively exploited, while it's under the threat of exploitation.
>