These VMware products can remotely execute code, so update now
Experts warn there could be a strong rise in breaches once a proof-of-concept for the vulnerabilities is released
Published on 18th January 2023
Cybersecurity researchers from the Horizon3 Attack Team have announced plans to release a proof-of-concept (PoC) exploit for a critical vulnerability discovered in a number of VMware products.
Having a PoC released means cybercriminals will get an easy explanation of how to exploit a flaw, which could result in a strong rise in successful breaches.
The flaw in question is tracked as CVE-2022-47966, a vulnerability that allows threat actors to remotely execute code in ManageEngine servers that have had the SAML-based single-sign-on (SSO) enabled at some point in the past (so turning the feature off will solve nothing). The vulnerable endpoints are using an outdated third-party dependency called Apache Santuario, the researchers said, adding that the attackers need not authenticate in order to run the code remotely.
Spray and pray
“The vulnerability is easy to exploit and a good candidate for attackers to ‘spray and pray’ across the Internet. This vulnerability allows for remote code execution as NT AUTHORITY\SYSTEM, essentially giving an attacker complete control over the system,” the researchers warned.
“If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done. Once an attacker has SYSTEM level access to the endpoint, attackers are likely to begin dumping credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement.”
Although almost all ManageEngine products are vulnerable to the flaw, parent company Zoho was said to have already released a patch.
Using Shodan to search for unpatched endpoints, the researchers found “thousands” of vulnerable ManageEngine products, instances of ServiceDesk Plus and Endpoint Central.
Right now, there are no reports of CVE-2022-47966 being exploited in the wild, but if IT admins don’t patch the vulnerability on time, we can expect such reports to start pouring in sooner rather than later.
