Researchers Warn Against Zoho ManageEngine “Spray and Pray” Attacks

Security researchers issued a warning about a critically-rated pre-authentication remote code execution (RCE) vulnerability, CVE-2022-47966, in Zoho ManageEngine products – including ServiceDesk Plus 14003 and Endpoint Central version 10.1.2888.10 – here’s what you need to know.

What is the situation?

According to researchers, an adversary could exploit the Zoho ManageEngine vulnerability if the Security Assertion Markup Language (SAML) single-sign-on is enabled or has ever been enabled. Additionally, this vulnerability is assigned as part of a “spray and pray” campaign in which attackers target organizations at an unprecedented rate in hopes one of their numerous attacks hit the mark.

How do adversaries conduct their attacks?

An attacker with root privileges on an affected Zoho ManageEngine endpoint can dump the operating system credentials via Local Security Authority Subsystem Service (LSASS). An adversary can then use the compromised credentials to move laterally within the infected environment leveraging existing public tools.

A Shodan scan, which is a search engine for internet-connected devices, reveals over a thousand instances of Zoho ManageEngine products. In ServiceDesk Plus, 509 have SAML enabled and Shodan found 345 enabled for Endpoint Central.

While there are no public reports of attacks leveraging this vulnerability and no attempts to exploit it in the wild as of this writing, motivated attackers will likely move quickly to create their own RCE exploits once the researchers publish their “proof of concept” code, even if they release a minimal version.

What is Nuspire doing?

Nuspire is not affected by the Zoho ManageEngine vulnerability.

What should I do?

As mentioned above, threat actors can exploit the Zoho vulnerability even if SAML is not currently enabled but was enabled sometime in the past. The safest course of action is to patch regardless of the SAML configuration of the product. Organizations using Zoho ManageEngine should review their security advisory and patch in accordance with instructions.