Remote code execution vulnerability in multiple Manage Engine products
Unauthenticated threat actors can execute arbitrary code on ManageEngine instances following successful exploitation if the SAML-based single-sign-on (SSO) is/was enabled in the ManageEngine setup.
This pre-authentication RCE flaw is tracked as “CVE-2022-47966” and derives from using an outdated and vulnerable version of the Apache Santuario library.
Recommendations:
Kindly proceed with the installation of the relevant updated versions of these products. This issue has been fixed by updating the third-party module (Apache Santuario) to the recent version.
References / IOCs:
- https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html
- ManageEngine CVE-2022-47966 IOCs – Horizon3.ai
- https://www.rapid7.com/blog/post/2023/01/19/etr-cve-2022-47966-rapid7-observed-exploitation-of-critical-manageengine-vulnerability/
The Threat Hunting and SOC teams of OBRELA remain vigilant and continue to monitor the activity.
