Zoho users at risk of attack due to an unpatched vulnerability

Share post:

Zoho users who did not install the security updates that addressed CVE-2022-47966 (CVSS score: 9.8), a pre-authentication remote code execution vulnerability in 24 different Zoho products that use the company’s ManageEngine, are vulnerable to another attack from multiple threat actors. As the threat actors are now deploying malware capable of executing next-stage payloads using it as an attack vector.

Due to the use of an outdated third-party dependency, Apache Santuario, the unauthenticated remote code execution vulnerability was reported and patched in the following ManageEngine OnPremise products. The problem affects up to 24 different products, including Access Manager Plus, ADManager Plus, ADSelfService Plus, Password Manager Pro, Remote Access Plus, and Remote Monitoring and Management (RMM).

CVE-2022-47966 enables attackers to remotely execute malicious code by sending a standard HTTP POST request with a specially crafted response using the Security Assertion Markup Language. (SAML is an open-standard language used by identity providers and service providers to exchange authentication and authorization data). The flaw is caused by Zoho’s use of an out-of-date version of Apache Santuario for XML signature validation.

The exploitation efforts are said to have begun the day after Horizon3.ai, a penetration testing firm, released a proof-of-concept (PoC) last month. The primary goal of the attacks detected thus far has been to deploy tools on vulnerable hosts such as Netcat and Cobalt Strike Beacon. Some intrusions used the initial access to install AnyDesk software for remote access, while others attempted to install a Windows version of the Buhti ransomware strain.

The sources for this piece include an article in TheHackerNews.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways