White hackers will force Manageengine developers to close critical vulnerability

The Horizon3 researchers team has developed POC-EX-EX-EXTENTION aimed at critical vulnerability in several ZOHO ManageenGENGINE products. At the end of the week, they plan to put it on the network, in open access. So, apparently, white hackers want to attract the attention of the developers so that they “pat” the hole in safety as soon as possible.

Vulnerability is marked by the name CVE-2022-47966 and allows attackers who have not passed the authenticity test to execute the arbitrary code on Manageengine servers, that is, to conduct RCTAI.

The list of vulnerable programs includes almost all Manageengine products. However, Zoho has already released updates for most of them.

Researchers from the Horizon3’s Attack Team team have already warned Zoho representatives that they created an exploit based on the above vulnerability. Although they have not yet published technical details, they only provided general indicators of compromise (IOC), Horizon3 plans to release its exploit later this week.

Horizon3 researchers also shared a screenshot showing their exploit in action. Its performance is shown on the example of Manageengine Serviedesk Plus.

Exploit POC CVE-2022-47966

James Horsman, a researcher from Horizon3, found that approximately 10% of all available Manageengin products are vulnerable to attacks CVE-2022-47966.

Despite the fact that there are no publicly accessible messages about attacks using this vulnerability and attempts to use it in real conditions, according to Greynoise, interested attackers will most likely quickly move on to the creation of their own exploits RCE as soon as Horizon3 will publish its own POC code.

Earlier, representatives of Horizon3 have already published exploites for the following vulnerabilities:

  • CVE-2022-28219-Critical vulnerability in Zoho Manageengine Adaudit Plus, which allows attackers to compromise the accounts of Active Directory.
  • CVE-2022-1388-a critical error that allows you to remotely execute the code on the F5 Big-IP network devices.
  • CVE-2022-22972-The critical vulnerability of authentication bypassing in several VMware products, allowing attackers to get the rights of the administrator.

Tough, but effective – after an ultimatum put forward by the developers, there is no doubt that any vulnerabilities will be eliminated as soon as possible.

/Media reports cited above.