The Cybersecurity and Infrastructure Security Agency (CISA) has added Remote Code Execution (RCE) affecting most Zoho ManageEngine products to its catalog of bugs known to be exploited in the wild.

This security flaw is identified as CVE-2022-47966 and has been fixed in several waves starting on October 27, 2022.

Unauthenticated hackers can exploit it if SAML-based single sign-on (SSO) is or has been enabled at least once prior to the attack to execute arbitrary code.

Last week, Horizon3 security researchers published a technical analysis with proof-of-concept (PoC) exploit code and warned of incoming “spray and pray” attacks.

They found over 8,300 ServiceDesk Plus and Endpoint Central instances exposed to the internet and estimated that around 10% of them are also vulnerable.

A day later, multiple cybersecurity firms warned that unpatched instances of ManageEngine exposed online are now targeted by CVE-2022-47966 exploits in running attacks to open inverted shells.

Post-exploit activity seen by Rapid7 security researchers shows that attackers are disabling real-time malware protection on compromised devices through backdoors by deploying remote access tools.

Detection of attempts to exploit 10 or more IP addresses for unauthenticated CVE-2022-47966 RCE affecting multiple Zoho ManageEngine products (which have SAML SSO enabled).

Make sure to update the patched versions as specified in the ManageEngine advisoryhttps://t.co/BIRlXnHkAT

— Shadowserver (@Shadowserver) January 19, 2023

All Organizations Urged to Prioritize Patches

All Federal Civilian Executive Branch (FCEB) agencies should patch their systems against this actively exploited bug after it was added to CISA. Known exploited vulnerabilities (KEV), according to a Binding Operational Directive (BOD 22-01) published in November 2021.

Federal agencies have three weeks, until February 13, to ensure their networks are secure against ongoing exploit attempts.

Although BOD 22-01 only applies to US FCEB agencies, the cybersecurity agency also strongly urged all private and public sector organizations to prioritize patching this vulnerability.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise,” CISA said Monday.

In September, CISA ordered federal agencies to patch another critical flaw (CVE-2022-35405) in several Zoho ManageEngine products that allows unauthenticated remote code execution after successful exploitation.

A Metasploit module (which helps to win RCE as SYSTEM user) and proof-of-concept (PoC) exploit code targeting CVE-2022-35405 have been available online since August.

CISA and the FBI have already warned (1, 2) that state-backed groups are exploiting flaws in ManageEngine to target organizations across multiple critical infrastructure sectors, including financial services and healthcare.