The ManageEngine IT service management solutions suite is relied upon by established and emerging enterprises – including 9 of every 10 Fortune 100 organizations – to help optimize performance of their IT infrastructure, including networks, servers, applications, endpoints and more.
The Horizon3.ai Attack Team has reproduced the recent ManageEngine CVE-2022-47966 pre-auth RCE, which affects nearly all of their products. Horizon3.ai has also published indicators of compromise (IOCs) in their new blog ManageEngine CVE-2022-47966 IOCs authored by Horizon3.ai Exploit Developer James Horseman.
This exploit requires that Security Assertion Markup Language (SAML) single-sign-on has been enabled. Organizations that use SAML tend to be larger and more mature, and are likely to be higher value targets for attackers. Its primary role in online security is enabling access to multiple web applications using a single set of login credentials.
This bug is considered to be low in complexity and easy to exploit.
While there is no public POC as of January 13, 2023, the Horizon3.ai expects that once a public POC is released, exploit activity will increase.
Eric Fredrickson, Head of Attack Engineering at Horizon3.ai, notes: “Shodan data shows that there are likely more than a thousand instances of ManageEngine products exposed to the internet with SAML currently enabled.”
Looking just at the ServerDesk Plus and Endpoint Central products, the Horizon3.ai Attack Team found:
— 5,255 exposed instances of ServiceDesk Plus, of which 509 have SAML enabled.
— 3,105 exposed instances of Endpoint Central, of which 345 have SAML enabled.”
Frederickson also notes: “In a worst case scenario, an attacker would gain complete control of the system running the vulnerable ManageEngine project. From there, an attacker can pivot to other machines in the network, dump credentials, and deploy malware/ransomware.”
– EST