Security News > 2023 > February > Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products
Multiple threat actors have been observed opportunistically weaponizing a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023.
Tracked as CVE-2022-47966, the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers.
As many as 24 different products, including Access Manager Plus, ADManager Plus, ADSelfService Plus, Password Manager Pro, Remote Access Plus, and Remote Monitoring and Management, are affected by the issue.
The shortcoming "Allows unauthenticated remote code execution due to usage of an outdated third-party dependency for XML signature validation, Apache Santuario," Bitdefender's Martin Zugec said in a technical advisory shared with The Hacker News.
A majority of the attack victims are located in Australia, Canada, Italy, Mexico, the Netherlands, Nigeria, Ukraine, the U.K., and the U.S. The main objective of the attacks detected to date revolves around deploying tools on vulnerable hosts such as Netcat and Cobalt Strike Beacon.
Some intrusions have leveraged the initial access to install AnyDesk software for remote access, while a few others have attempted to install a Windows version of a ransomware strain known as Buhti.
News URL
https://thehackernews.com/2023/02/experts-sound-alarm-over-growing.html
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-18 | CVE-2022-47966 | Unspecified vulnerability in Zohocorp products Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. | 9.8 |