Recently, Zoho ManageEngine released a security advisory for CVE-2022-47966, which allows for pre-authentication remote code execution in at least 24 ManageEngine products, including ADSelfService Plus and ServiceDesk Plus. This vulnerability stems from the products’ use of an outdated Apache Santuario library for XML signature validation, and allows an attacker to conduct remote code execution (RCE) by sending an HTTP POST request with a malicious SAML response.
This vulnerability is actively exploited in the wild. Requests attempting to exploit this vulnerability peaked on 20 January, right after public exploit code and deep dives were released. Collectively, we’ve seen almost 2,000 attack attempts this month, targeting almost 1,000 distinct sites, mostly based in the US and the Netherlands.
At this point, most attempts are conducting out-of-band application security testing (OAST) in an attempt to see if the targeted machines are vulnerable, but it’s likely that DDoS bots, crypto miners, and other attacks will soon follow.
Imperva WAF customers are protected out of the box, but all users of the affected ManageEngine products should update to a patched version immediately.
Try Imperva for Free
Protect your business for 30 days on Imperva.