The Indian Cyber Emergency Response Team (CERT-IN) has issued an alert on a remote code execution vulnerability in Zoho ManageEngine products. The vulnerability, tracked as CVE-2022-47966, was patched by Zoho by the end of October 2022.
With a severity rating of High, the bug makes ManageEngine ServiceDesk Plus version 14003 and ManageEngine Endpoint Central version 10.1.2228.10 vulnerable to attacks.
“A Vulnerability has been reported in Zoho ManageEngine products which could allow an attacker to execute arbitrary code to gain sensitive information on the targeted system,” said the CERT-IN note.
“This vulnerability exists in Zoho ManageEngine products if SAML single-sign-on is enabled or has ever been enabled before. An attacker could exploit this vulnerability by sending a specially-crafted request.”
Tapping this bug could allow an attacker to run arbitrary code to access sensitive information on the system targeted.
The alert comes after researchers at Horizon3 found that the vulnerability can be exploited for initial access to victim systems and for lateral movement within networks using highly privileged credentials.
Zoho ManageEngine vulnerability and the scope of attack
Zoho’s ManageEngine products are used by over 280,000 organizations worldwide, putting many at risk if they have not patched their installations.
Researchers at Horizon3 warns that many organizations may not have patched yet due to slow enterprise patch cycles.
Zoho has issued an advisory, urging organizations to apply the patch as soon as possible. The vulnerability allows for remote code execution with system-level privileges, giving an attacker full control of the system.
“ManageEngine products are some of the most widely used across enterprises and perform business functions such as authentication, authorization, and identity management,” read the Horizon3 report.
“Given the nature of these products, a vulnerability such as this poses critical risk to organizations allowing attackers initial access, if exposed to the internet, and the ability for lateral movement with highly privileged credentials.”
Zoho ManageEngine and the vulnerability history
The Horizon3 report lists 5,255 exposed instances of ServiceDesk Plus, with 509 having SAML enabled and 3105 exposed instances of Endpoint Central, with 345 having SAML enabled.
“From this we presume that roughly 10% of all ManageEngine products exposed to the Internet have SAML enabled. Organizations that use SAML in the first place tend to be larger and more mature and are likely to be higher value targets for attackers,” said the report.
This is the latest among the list of the major Zoho systems vulnerabilities spotted over the past few months.
Zoho has called on customers on January 4 to patch a significant security vulnerability that affects various ManageEngine products.
The vulnerability, identified as CVE-2022-47523, is an SQL injection issue found in the Password Manager Pro secure vault, PAM360 privileged access management software, and Access Manager Plus privileged session management solution.
CISA issued a warning about a critical vulnerability (CVE-2022-35405) in ManageEngine products in September 2022.
This vulnerability, if exploited, could enable attackers to gain remote code execution on servers that have not applied the necessary patches and are running PAM360, Access Manager Plus, and Password Manager Pro.
