Blog
Threat Intelligence: Unpatched Zoho ManageEngine Products are Being Actively Targeted by Cyberattacks
Posted: January 25, 2023
On Monday, January 23rd, CISA officially recognized and posted an advisory (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) for both public and private entities warning against a set of exploits that bring a high risk of abuse.
Attackers are actively exploiting a number of Zoho ManageEngine products including but not limited to: Active Directory 360, ADSelfServicePlus, ADManagerPlus, EndPoint Central, & EndPoint Central MSP.
According to a recently released security advisory (https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html) connected to a confirmed CVE (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47966), at least 24 individual ManageEngine products may be affected by this critical exploit.
The exploit allows for remote code execution which can instantly lead to total SYSTEM level access. A scan of internet facing devices estimates that at least 10% of all exposed instances of ManageEngine products may be vulnerable.
If the ManageEngine products currently or have ever had SAML authentication enabled, they may be vulnerable. Remediation relies on having the latest patches, so please refer to this advisory page (https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html) to download the necessary upgrades/hot fixes for your product.
Since this exploit covers such a wide range of ManageEngine products, now might be a good time to run a Galactic scan on your environment as well as your clients for previously unknown software that may belong to the Zoho ManageEngine family.
ManageEngine products are heavily used both within the MSP space as well as across enterprises worldwide. Federal agencies are being given 3 weeks, until February 13th to patch these exploits. Please check your environments for this vulnerability.
Based on previous data from the dark-web and underground sources, we have seen that ManageEngine products are a prime target (https://www.bleepingcomputer.com/news/security/hackers-sell-access-to-your-network-via-remote-management-apps/) for both cyber-attackers and brokers of stolen data.
If you have any questions, concerns or would like further information, please do not hesitate to reach out to our security desk or one of our security advisors.