On Friday, security researchers with Horizon3’s Attack Team warned admins that they created a proof-of-concept exploit for CVE-2022-47966.
“The vulnerability is easy to exploit and a good candidate for attackers to ‘spray and pray’ across the Internet. This vulnerability allows for remote code execution as NT AUTHORITYSYSTEM, essentially giving an attacker complete control over the system,” Horizon3 vulnerability researcher James Horseman said.
Although they’re yet to release technical details and only shared indicators of compromise that defenders can use to determine if their systems have been compromised, Horizon3 plans to release their PoC exploit later this week.
Even though there are no public reports of attacks leveraging this vulnerability and no attempts to exploit it in the wild per cybersecurity firm GreyNoise, motivated attackers will likely move quickly to create their own RCE exploits once Horizon3 publishes their PoC code, even if they release a minimal version.
CVE-2022-28219, a critical vulnerability in Zoho ManageEngine ADAudit Plus that can let attackers compromise Active Directory accounts, CVE-2022-1388, a critical bug that enables remote code execution in F5 BIG-IP networking devices, and CVE-2022-22972, a critical authentication bypass vulnerability in multiple VMware products that lets threat actors gain admin privileges.
Zoho ManageEngine servers have been under constant attack in recent years, with nation-state hackers using tactics and tooling similar to those of the Chinese-linked APT27 hacking group targeting them between August and October 2021.