Security researchers tracking a known pre-authentication remote code execution vulnerability in Zoho’s ManageEngine products are warning organizations to brace for “spray and pray” attacks across the internet.
The vulnerability, patched by Zoho last November, affects multiple Zoho ManageEngine products and can be reached over the internet to launch code execution exploits if SAML single-sign-on is enabled or has ever been enabled.
According to researchers at automated penetration testing firm Horizon3.ai, the CVE-2022-47966 flaw is easy to exploit and a good candidate for so-called “spray and pray” attacks. In this case, the bug gives attackers complete control over the system or an immediate beachhead to launch additional compromises.
“Once an attacker has SYSTEM level access to the endpoint, attackers are likely to begin dumping credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement,” the company said in a note documenting its work creating IOCs to help businesses hunt for signs of infection.
Horizon3.ai red-teamer James Horseman is calling attention to exposed attack surfaces that put thousands of organizations at risk. “Shodan data shows that there are likely more than a thousand instances of ManageEngine products exposed to the internet with SAML currently enabled,” Horseman said, estimating that roughly 10% of all Zoho Management products may be sitting ducks for these attacks.
“Organizations that use SAML in the first place tend to be larger and more mature and are likely to be higher value targets for attackers,” Horseman warned.
Although Zoho issued patches late last year, Horseman notes that some organizations are still be tardy on deploying the fixes. “Given how slow enterprise patch cycles can be, we expect that there are many who have not yet patched.”
“We want to highlight that in some cases the vulnerability is exploitable even if SAML is not currently enabled, but was enabled sometime in the past. The safest course of action is to patch regardless of the SAML configuration of the product,” Horseman added.
Zoho boasts that about 280,000 organizations across 190 countries use its ManageEngine product suite to manage IT operations.
The Indian multinational firm, which sells a wide range of productivity and collaboration apps to businesses, has struggled with zero-day attacks and major security problems that have been targeted by nation-state APT actors.
The US government’s cybersecurity agency CISA has added Zoho vulnerabilities to its federal ‘must-patch’ list because of known exploitation activity.