CISA warns of critical ManageEngine RCE bug used in attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical severity Java deserialization vulnerability affecting multiple Zoho ManageEngine products to its catalog of bugs exploited in the wild.

This security flaw (CVE-2022-35405) can be exploited in low-complexity attacks, without requiring user interaction, to gain remote code execution on servers running unpatched Zoho ManageEngine PAM360 and Password Manager Pro (without authentication) or Access Manager Plus (with authentication) software.

Proof-of-concept (PoC) exploit code and a Metasploit module (targeting this bug to gain RCE as the SYSTEM user) have been available online since August.

"The exploit POC for the above vulnerability is available in public," ManageEngine warned customers in July when it issued security patches to address this issue.

"We strongly recommend our customers to upgrade the instances of Password Manager Pro, PAM360 and Access Manager Plus immediately."

After being added to CISA's Known Exploited Vulnerabilities (KEV) catalog, all Federal Civilian Executive Branch Agencies (FCEB) agencies now must patch their systems against this bug exploited in the wild according to a binding operational directive (BOD 22-01) issued in November.

The federal agencies have three weeks, until October 13th, to ensure that their networks are protected from exploitation attempts.

All orgs urged to prioritize patching this flaw

Even though BOD 22-01 applies to U.S. FCEB agencies only, the U.S. cybersecurity agency also strongly urged all organizations from private and public sectors worldwide to prioritize patching this bug.

Following this advice and applying patches ASAP will decrease the attack surface attackers could use in attempts to breach their networks.

"These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise," CISA explained on Thursday.

Since this binding directive was issued, CISA has added more than 800 security vulnerabilities to its catalog of bugs exploited in attacks, requiring federal agencies to address them on a tighter schedule.

All security professionals and admins are strongly recommended to review CISA's KEV catalog and patch listed bugs within their environment to block security breach attempts.

In recent years, Zoho ManageEngine servers have been constantly targeted, with Desktop Central instances, for instance, hacked and access to their networks sold on hacking forums starting with July 2020.

Between August and October 2021, ManageEngine servers have also been attacked by nation-state hackers using tactics and tooling similar to those deployed in attacks by the Chinese-linked APT27 hacking group.

Following these campaigns, the FBI and CISA issued two joint advisories (1, 2) warning of APT actors exploiting ManageEngine flaws to drop web shells on the networks of critical infrastructure orgs, including healthcare, electronics, financial services, and IT consulting industries.