These VMware products can remotely execute code, so update now

News
By
published

Proof-of-concept is pending release, experts warn

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

Cybersecurity researchers from the Horizon3 Attack Team have announced plans to release a proof-of-concept (PoC) exploit for a critical vulnerability discovered in a number of VMware products. 

Having a PoC released means cybercriminals will get an easy explanation of how to exploit a flaw, which could result in a strong rise in successful breaches.

The flaw in question is tracked as CVE-2022-47966, a vulnerability that allows threat actors to remotely execute code in ManageEngine servers that have had the SAML-based single-sign-on (SSO) enabled at some point in the past (so turning the feature off will solve nothing). The vulnerable endpoints are using an outdated third-party dependency called Apache Santuario, the researchers said, adding that the attackers need not authenticate in order to run the code remotely.

Spray and pray

"The vulnerability is easy to exploit and a good candidate for attackers to 'spray and pray' across the Internet. This vulnerability allows for remote code execution as NT AUTHORITY\SYSTEM, essentially giving an attacker complete control over the system," the researchers warned.

"If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done. Once an attacker has SYSTEM level access to the endpoint, attackers are likely to begin dumping credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement."

Read more

> VMware virtualization software is being hijacked to spy on businesses

> High-severity VMware bug still not patched, almost one year later

> Check out the best helpdesk software around

Although almost all ManageEngine products are vulnerable to the flaw, parent company Zoho was said to have already released a patch. 

Using Shodan to search for unpatched endpoints, the researchers found “thousands” of vulnerable ManageEngine products, instances of ServiceDesk Plus and Endpoint Central. 

Right now, there are no reports of CVE-2022-47966 being exploited in the wild, but if IT admins don’t patch the vulnerability on time, we can expect such reports to start pouring in sooner rather than later. 

Via: BleepingComputer

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.