Horizon3 Attack Team resellers warn that by the end of the week, a PoC for a critical RCE vulnerability affecting Zoho ManageEngine products will be available.

CVE-2022-47966 is related to the use of an outdated and vulnerable third-party Apache Santuario dependency. The bug has been fixed by several patches released starting from October 27, 2022.

Successful operation allows unauthorized attackers to execute arbitrary code from NT AUTHORITY\SYSTEM on ManageEngine servers if the SAML-based single sign-on (SSO) system is enabled or was enabled at least once before the attack.

The vulnerability is not difficult to use and allows you to effectively carry out "spray and pray" type attacks.

To date, the resellers have not provided technical details, providing only general indicators of compromise (IOC). However, by the end of the week, Horizon3 is planning to release its PoC exploit.

Despite the lack of information about attacks using this vulnerability in the wild, according to GreyNoise, hackers are highly likely to quickly move on to creating their own exploits as soon as Horizon3 publishes the PoC.

Given that preliminary estimates using Shodan indicate the vulnerability of 10% of all open ManageEngine products to CVE-2022-47966 attacks, administrators should pay close attention to the issues of fixing potentially vulnerable solutions. After all, in recent years, Zoho ManageEngine servers have been subjected to constant hacker attacks