There's a critical vulnerability in Zoho ManageEngine Products. Here's what you need to know.
Background
A critical security flaw has been discovered in numerous Zoho ManageEngine products, often used in IT management and IT security. The flaw (CVE-2022-47966) allows a remote, unauthenticated attacker to perform arbitrary code execution on systems running the vulnerable software. Zoho reports that for exploitation to be successful, SAML SSO must currently be enabled in the ManageEngine setup or have been enabled in the past.
Threat actors are actively exploiting this vulnerability. Zoho has released security patches and these should be applied immediately. Regardless of SAML configuration, applying security patches is recommended.
Impact
Attackers can exploit this vulnerability to gain full control over unpatched systems. Corvus has observed similar vulnerabilities lead to ransomware events.
The following table includes the impacted products and versions as well as the corresponding security patch.
Product Name |
Impacted Version(s) |
Fixed Version(s) |
Applicable if SAML Currently Active |
Applicable if SAML Active in the Past |
Access Manager Plus* |
4307 and below |
X |
||
Active Directory 360** |
4309 and below |
X |
||
ADAudit Plus** |
7080 and below |
X |
||
ADManager Plus** |
7161 and below |
X |
||
ADSelfService Plus** |
6210 and below |
X |
||
Analytics Plus* |
5140 and below |
X |
||
Application Control Plus* |
10.1.2220.17 and below |
X |
||
Asset Explorer** |
6982 and below |
X |
||
Browser Security Plus* |
11.1.2238.5 and below |
X |
||
Device Control Plus* |
10.1.2220.17 and below |
X |
||
Endpoint Central* |
10.1.2228.10 and below |
X |
||
Endpoint Central MSP* |
10.1.2228.10 and below |
X |
||
Endpoint DLP* |
10.1.2137.5 and below |
X |
||
Key Manager Plus* |
6400 and below |
X |
||
OS Deployer* |
1.1.2243.0 and below |
X |
||
PAM 360* |
5712 and below |
X |
||
Password Manager Pro* |
12123 and below |
X |
||
Patch Manager Plus* |
10.1.2220.17 and below |
X |
||
Remote Access Plus* |
10.1.2228.10 and below |
X |
||
Remote Monitoring and Management (RMM)* |
10.1.40 and below |
X |
||
ServiceDesk Plus** |
14003 and below |
X |
||
ServiceDesk Plus MSP** |
13000 and below |
X |
||
SupportCenter Plus** |
11017 to 11025 |
X |
||
Vulnerability Manager Plus* |
10.1.2220.17 and below |
X |
Next Steps
- Check the table above and upgrade to a fixed version of the specific product.
Resources
https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html
https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/
https://thehackernews.com/2023/02/experts-sound-alarm-over-growing.html