An attack is underway to exploit a critical vulnerability in remote code execution (RCE), which affects multiple Zoho ManageEngine products.
Rapid7, a cybersecurity company, observed the first exploit attempts on Tuesday. This was two days after Horizon3 security researchers as well as in-depth technical analysis.
Rapid7 has responded to various compromises that result from CVE-20222-47966’s preauthentication remote code execution vulnerability (RCE), which affects at least 24 ManageEngine products,” threat detection firm .
“Rapid7” observed that exploitation was occurring across different organizations starting January 17th, 2023 (UTC).
Shadowserver Foundation researchers confirmed this by saying they “pick up exploit attempts from at minimum 10 IPs for CVE-202-27966 unauthenticated RCE, affecting multiple Zoho ManageEngine product (that have SAML SSO disabled).
GreyNoise, a threat intelligence company, confirmed their findings. GreyNoise began monitoring CVE-2022-47966 exploit attempts on January 12th.
GreyNoise detected that target Internet-exposed ManageEngine instances susceptible to CVE-20222-47966 attacks.
One of the IPs, i.e. 126.96.36.199, assigned to a Linux server at China Telecom Backbone has attempted to compromise other servers that were not protected against the vulnerability.
Post-exploitation activities on compromised devices
Rapid7 observed some post-exploitation activity as part of an investigation into attacks on ManageEngine instances of customers.
According to the company, the attackers use PowerShell scripts in order to disable Microsoft Defender real time protection and add the C:UsersPublic directory to Defender’s exclusion list.
Additional payloads are also deployed by the threat actors, such as remote access tools disguised under Windows Service Host.
A Golang protocol tunneling tool called Chisel, which is similar to the Plink command-line link tool (PuTTY Link), can be used to make a reverse SSL tunnel. This will allow remote shells to bypass firewalls.
ShadowServer shared a vulnerability attempt with BleepingComputer. The attackers used curl for downloading a file from remote servers (106.246.224[.]). Execute it.
This file is no longer available on the server. There’s also no information on malicious behavior.
The IP address does however have a distributing Linux backdoors to compromised devices via or the .
Rapid7 advised that organizations using affected products should immediately update and inspect unpatched systems to look for indications of compromise. Exploit code is public and has already started.
Horizon more than 8,300 Internet-exposed ServiceDesk Plus or Endpoint Central instances. They warned about “spray-and pray” attacks, after they estimated that approximately 10% of these instances could also be vulnerable.
CISA and FBI issued prior joint advisories ( and ) in order to warn about state-backed threat agents exploiting ManageEngine flaws and dropping web shells onto the networks of organisations from various critical infrastructure sectors including financial services, healthcare, and finance.