CISA alerts about critical ManageEngine RCE vulnerability exploited during attacks

Cybersecurity and Infrastructure Security Agency has included remote code execution (RCE), which affects most Zoho ManageEngine products, to their list of bugs that can be exploited wild.

The security flaw can be identified as CVE-20222-47966. It was fixed in multiple waves beginning October 27, 2022.

If the SAML-based single sign-on (SSO), is enabled or has been activated at least once prior to the attack, it can be exploited by unauthenticated threat actors.

Horizon3 security researchers published a with last week and warned about incoming “spray-and-pray” attacks.

The researchers found more than 8,300 Internet-exposed ServiceDesk Plus or Endpoint Central instances, and they estimate that approximately 10% are also at risk.

Multiple cybersecurity firms warned the following day that ManageEngine instances unpatched online were as part of ongoing attacks on reverse shells.

Rapid7 security experts have seen post-exploitation activity that shows attackers disabling real time malware protection on backdoor-compromised devices. They also deploy remote access tools.

Exploitation attempts detected from more than 10 IPs in CVE-202-27966 Unauthenticated RCE that affects multiple Zoho ManageEngine products.

Make sure to update to fixed versions as specified in the ManageEngine advisory

— Shadowserver (@Shadowserver)

All organizations are urged to prioritise patching

After it was included to the catalog by CISA, all Federal Civilian Executive Branch Agencies must fix their systems to prevent this bug from being actively exploited. This directive is was issued in November 2021.

Federal agencies are given three weeks to make sure their networks against exploitation, from February 13th through February 13th.

BOD 22-01 is only applicable to U.S. FCEB agents, but the cybersecurity agency strongly urged all sectors of organizations to prioritise patching this vulnerability.

CISA stated Monday that this vulnerability was a common attack vector for cyber criminals and presents a serious risk to federal enterprises.

CISA ordered federal agencies in September to fix a critical flaw (CVE-2022-35405) that existed within several Zoho ManageEngine products. This flaw allows remote execution of code without authentication after successful exploit.

Since August, a module (that assists in gaining RCE as a SYSTEM user), and that targets CVE-2022-35405 are available online.

CISA and FBI warned previously ( and ) about state-backed organizations using ManageEngine flaws in order to target organisations from critical infrastructure sectors including healthcare, financial services, and insurance.