Widespread Exploitation of ManageEngine Flaw

Description

In early 2023, an APT exploited a vulnerability in Zoho’s ManageEngine software, tracked as CVE-2022-47966, to compromise a European internet infrastructure provider.

CVE-2022-47966 stems from a vulnerable third-party dependency on Apache Santuario. It was present in various ManageEngine products due to the use of a version of Apache xmlsec that required the application to implement mitigations, which were not present.

Impact

In addition to the target of this APT, CISA also “identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023”, and other vendors reported widespread exploitation.

Type of Compromise

According to Flashpoint , while “usage of a more recent version of Apache Santuario […] could have mitigated exploitation in ManageEngine significantly”, the dependency itself was using an outdated, vulnerable (CVE-2014-0107) dependency called Apache Xalan, and says “the combination of this exceptionally old library, which by itself has a vulnerable dependency and insecure defaults” contributed to the impact.

References