Unpatched Zoho ManageEngine Products Open to Possible Attack

Ed note: An earlier version incorrectly stated the vulnerability is under active attack. Instead, GreyNoise researchers are tracking any potential attacks.

Several Zoho ManageEngine IT management products require patching against a critical unauthenticated remote code execution (RCE) that researchers warn is ripe for an attack.

On Jan. 10, ManageEngine released an update against the bug, tracked under CVE-2022-47966, blaming it on "... an outdated third party dependence, Apache Santuario."

The security advisory adds that any of the two dozen ManageEngine products impacted are vulnerable if single sign-on is, or has ever been, enabled.

By Jan. 13, researchers at Horizon.ai provided indicators of compromise (IoCs). Now GreyNoise is tracking potential attacks attempting to exploit the RCE.

Once the RCE is used to breach a system, that access could be used to create all sorts of havoc by threat actors, Horizon.ai analysts explained.

"ManageEngine products are some of the most widely used across enterprises and perform business functions such as authentication, authorization, and identity management," the Horizon.ai researchers added. "Given the nature of these products, a vulnerability such as this poses critical risk to organizations allowing attackers initial access if exposed to the internet, and the ability for lateral movement with highly privileged credentials."