Serious vulnerabilities exposed in ManageEngine allow attackers to run code remotely without authentication 01/19 Update SLTechnology News&Howtos

Serious vulnerabilities exposed in ManageEngine allow attackers to run code remotely without authentication

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > IT Information >

Shulou(Shulou.com)11/24 Report--

According to CTOnews.com, January 17, network security researchers from Horizon3 Attack Team have released a proof of concept (PoC) vulnerability that exists in many VMware products.

According to reports, the CVE-2022-47966 vulnerability allows attackers to remotely execute code in ManageEngine servers without authentication, and these servers have enabled the saml-based single sign-on (SSO) protocol at some point in time, so turning off this feature will not solve any problems.

The researchers point out that vulnerable endpoints use an outdated third-party dependency called Apache Santuario, which allows attackers to remotely execute code under the identity of NT AUTHORITY\ SYSTEM, thus taking full control of the system.

At present, this vulnerability is easy to exploit and is a favorable way for attackers to "spray and pray" on the Internet. The researchers warn that the vulnerability allows remote code execution as NT AUTHORITY\ SYSTEM, basically giving the attacker complete control of the system.

"if users determine that their information is compromised, additional investigation is needed to determine the damage caused by the attacker. Once the attacker has gained system-level access to the endpoint, the attacker may begin to access the stored application credentials through LSASS dump credentials or use existing public tools for horizontal transfer."

CTOnews.com reminded that Zoho has released the corresponding patch, if you need it, please download it as soon as possible.

It is worth mentioning that after searching for unpatched endpoints through Shodan, researchers still found "thousands" of vulnerable ManageEngine products, ServiceDesk Plus and Endpoint Central instances.

Currently, there are no reports of malicious exploitation of CVE-2022-47966 in the industry, but if IT administrators choose to ignore this vulnerability, there will be victims sooner or later.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.