PoC exploit released by researchers to fix critical Zoho RCE issue, patch here

This week, a proof-of-concept exploit code for a critical flaw that allows remote code execution without authentication will be made public.

This vulnerability was tracked as CVE-20222-47966. It is caused by the use of an insecure third-party dependency called Apache Santuario.

If the SAML-based single sign-on (SSO), is enabled or has been activated at least once prior to the attack, successful exploitation allows unauthenticated threat actor(s) to execute arbitrary Code on ManageEngine Servers

Nearly all ManageEngine products are included in the list. However, Zoho is already working to patch them, starting October 27, 2022 with an update of the third-party module.

Attacks of “spray-and-pray”

Security researchers from Horizon3’s Attack Team administrators that they had created a proof of concept (PoC), exploit for CVE-20222-47966.

The vulnerability is simple to exploit, and attackers can’spray’ and pray across the Internet. “This vulnerability allows remote code execution under NT AUTHORITYSYSTEM,” Horizon3 vulnerability researcher James Horseman .

If a user suspects that they are being compromised, further investigation will be required in order to find out the extent of damage done by an attacker. An attacker will likely dump credentials once they have SYSTEM-level access to an endpoint. They may also use existing public tools to gain access to stored credentials in order to perform lateral movements.

They have yet to disclose technical details, and they only provide shared indicators of compromise (“IOCs”) that can be used by defenders to assess if the systems are compromised. However Horizon3 their PoC exploit this week.

Horizon3 researchers also shared this screenshot showing how their exploit was used against an vulnerable ManageEngine ServiceDesk Plus.

CVE-2022-47966 PoC exploit (Horizon3)

10% of all instances that are exposed to attackable

Horseman discovered thousands of vulnerable ManageEngine products via Shodan, ServiceDesk Plus, and Endpoint Central.

Hundreds of ManageEngine products had SAML enabled. This made 10% of ManageEngine products susceptible to CVE-20222-47966 attacks.

Although there have been no reports that this vulnerability has been exploited and according to cybersecurity firm GreyNoise. Motivated attackers are likely to move fast to develop their own RCE exploits after Horizon3 releases their PoC code.

Horizon3 released an exploit code previously for:

  • is a critical flaw in Zoho ManageEngine ADAudit Plus which can allow attackers to compromise Active Directory accounts.
  • is a critical flaw that allows remote code execution on F5 BIG IP networking devices.
  • is a critical vulnerability that allows attackers to gain administrator privileges in VMware products.

In recent years, Zoho ManageEngine servers were constantly under attack by who used tactics and tools similar to the Chinese-linked APT27 hacking team. This was between August 2021 and October 2021.

In July 2020, Desktop Central was also compromised by hackers who sold access to hacking forums .

Following this attack campaign, CISA and FBI issued joint advisory [ , ] warning about state-sponsored attackers using ManageEngine bugs for backdoors to critical infrastructure.