Security News > 2023 > January > Exploit released for critical ManageEngine RCE bug, patch now
Proof-of-concept exploit code is now available for a remote code execution vulnerability in multiple Zoho ManageEngine products.
The PoC exploit was tested against ServiceDesk Plus and Endpoint Central, and Horizon3 "Expect this POC to work unmodified on many of the ManageEngine products that share some of their codebase with ServiceDesk Plus or EndpointCentral."
CVE-2022-28219, a critical flaw in Zoho ManageEngine ADAudit Plus that lets attackers compromise Active Directory accounts, CVE-2022-1388, a critical vulnerability allowing remote code execution in F5 BIG-IP networking devices, and CVE-2022-22972, a critical authentication bypass bug in multiple VMware products that can let threat actors gain admin privileges.
Last week, Horizon3 researchers also warned of a potential wave of attacks after the PoC exploit is released since "The vulnerability is easy to exploit and a good candidate for attackers to 'spray and pray' across the Internet."
While there are no reports of attacks leveraging this vulnerability and no attempts to exploit it in the wild, threat actors will likely move quickly to develop custom RCE exploits based on Horizon3's PoC code.
Following these and other attacks targeting ManageEngine, CISA and the FBI issued two joint advisories [1, 2] to warn of state-backed attackers exploiting ManageEngine bugs to backdoor critical infrastructure organizations.
News URL
Related news
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Netgear warns users to patch critical WiFi router vulnerabilities (source)
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- SonicWall firewall exploit lets hackers hijack VPN sessions, patch now (source)
- MITRE Caldera RCE vulnerability with public PoC fixed, patch ASAP! (CVE-2025–27364) (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)
- Stealthy Apache Tomcat Critical Exploit Bypasses Security Filters: Are You at Risk? (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-20 | CVE-2022-22972 | Unspecified vulnerability in VMWare products VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. | 9.8 |
| 2022-05-05 | CVE-2022-1388 | Unspecified vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. | 0.0 |
| 2022-04-05 | CVE-2022-28219 | XXE vulnerability in Zohocorp Manageengine Adaudit Plus Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution. | 9.8 |