As we warned, Horizon3 researchers have uncovered a PoC exploit and presented a technical analysis for the critical RCE vulnerability CVE-2022-47966 in Zoho ManageEngine products.

The vulnerability allows an attacker to implement RCE by sending an HTTP POST request containing a malicious SAML response.

POC abuses it to run a command using the Java Runtime.exec method.

The exploit has been successfully tested on ServiceDesk Plus and Endpoint Central, and according to Horizon3, POC will work unchanged in many ManageEngine products that use part of their codebase with ServiceDesk Plus or EndpointCentral.

Despite the fact that there have been no reports of attacks using this vulnerability and no attempts to use it in real conditions have been recorded, attackers are likely to quickly move on to developing their own RCE exploits based on the Horizon3 PoC code.

After all, as you know, in recent years, financially motivated and ART groups have actively attacked Zoho ManageEngine servers during their campaigns.