Don't miss our Quarterly Roadmap Showcase, Thursday, October 24
CVE-2022-28810 was discovered by researchers at Rapid7 and publicly disclosed on April 14, 2022. At the time, it was estimated that over 6,000 organizations were potentially vulnerable due to internet-exposed ADSelfService Plus instances using default credentials. Proof-of-concept exploits were quickly developed and published, allowing attackers to easily compromise vulnerable organizations. Initial access could then be leveraged to achieve further penetration into networks.
CVE-2022-47966 is a critical pre-authentication remote code execution (RCE) vulnerability impacting multiple Zoho ManageEngine products, including popular solutions like ADSelfService Plus and ServiceDesk Plus. The vulnerability exists due to a vulnerable Apache library dependency used in ManageEngine software. An attacker can send a specially crafted request to trigger Java deserialization, achieving arbitrary code execution.
Since the disclosure, CVE-2022-28810 has been heavily exploited by various threat actors. It was added to CISA's Known Exploited Vulnerabilities Catalog in May 2022. Attacks leveraging this vulnerability are ongoing against organizations that have not yet patched. Post-compromise activity shows attackers utilizing access to deploy additional payloads, carry out ransomware attacks, and steal data.
Like CVE-2022-28810, proof-of-concept exploits were quickly developed for CVE-2022-47966, and attackers widely exploited the vulnerability. Attackers used this vector for initial access before carrying out ransomware attacks, data theft, and cryptomining.
While patches have been available for months, CVE-2022-28810 and CVE-2022-47966 remain dangerous and are actively exploited in the wild. Internet scans continue to reveal vulnerable, internet-facing instances.
Article: CVE-2022-28810: ManageEngine ADSelfService Plus Authenticated Command Execution
Article: CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability
