Security News > 2023 > January > Exploit released for critical ManageEngine RCE bug, patch now
Proof-of-concept exploit code is now available for a remote code execution vulnerability in multiple Zoho ManageEngine products.
The PoC exploit was tested against ServiceDesk Plus and Endpoint Central, and Horizon3 "Expect this POC to work unmodified on many of the ManageEngine products that share some of their codebase with ServiceDesk Plus or EndpointCentral."
CVE-2022-28219, a critical flaw in Zoho ManageEngine ADAudit Plus that lets attackers compromise Active Directory accounts, CVE-2022-1388, a critical vulnerability allowing remote code execution in F5 BIG-IP networking devices, and CVE-2022-22972, a critical authentication bypass bug in multiple VMware products that can let threat actors gain admin privileges.
Last week, Horizon3 researchers also warned of a potential wave of attacks after the PoC exploit is released since "The vulnerability is easy to exploit and a good candidate for attackers to 'spray and pray' across the Internet."
While there are no reports of attacks leveraging this vulnerability and no attempts to exploit it in the wild, threat actors will likely move quickly to develop custom RCE exploits based on Horizon3's PoC code.
Following these and other attacks targeting ManageEngine, CISA and the FBI issued two joint advisories [1, 2] to warn of state-backed attackers exploiting ManageEngine bugs to backdoor critical infrastructure organizations.
News URL
Related news
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Mitel 0-day, 5-year-old Oracle RCE bug under active exploit (source)
- Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection (source)
- Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks (source)
- Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation (source)
- SonicWall Urges Immediate Patch for Critical CVE-2025-23006 Flaw Amid Likely Exploitation (source)
- Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management (source)
- Hackers exploit critical unpatched flaw in Zyxel CPE devices (source)
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- Unpatched PHP Voyager Flaws Leave Servers Open to One-Click RCE Exploits (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-20 | CVE-2022-22972 | Unspecified vulnerability in VMWare products VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. | 9.8 |
| 2022-05-05 | CVE-2022-1388 | Unspecified vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. | 0.0 |
| 2022-04-05 | CVE-2022-28219 | XXE vulnerability in Zohocorp Manageengine Adaudit Plus Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution. | 9.8 |