"Researchers Warn Against Zoho ManageEngine Exploit Attacks"

Horizon3.ai researchers are urging Zoho ManageEngine users to patch their software against a critical security vulnerability (tracked CVE-2022-47966) after designing and releasing a proof-of-concept (PoC) exploit code.  The researchers said they successfully reproduced the exploit and are now providing additional insight into the vulnerability to help users determine if they have been compromised.  Patched by Zoho between the last week of October and the first of November 2022, the bug affects multiple Zoho ManageEngine products.  The researchers noted that the vulnerability can be exploited over the internet to launch remote code execution (RCE) exploits if security assertion markup language (SAML) single sign-on (SSO) is enabled or has been enabled before.  Once an attacker has SYSTEM-level access to the endpoint, attackers are likely to begin dumping credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement.  The researchers noted that shodan data shows that there are likely more than a thousand instances of ManageEngine products exposed to the internet with SAML currently enabled. 

Infosecurity reports: "Researchers Warn Against Zoho ManageEngine Exploit Attacks"