Threat actors are exploiting unpatched ManageEngine instances. CISA adds the vulnerability to its catalog and Zoho urges customers to check their deployments. Credit: Thinkstock A remote code execution vulnerability in Zoho’s ManageEngine, a popular IT management solution for enterprises, is being exploited in the wild. The US Cybersecurity & Infrastructure Security Agency (CISA) added the flaw to its catalog of known exploited vulnerabilities last week, highlighting an immediate threat for organizations that haven’t yet patched their vulnerable deployments.The vulnerability, tracked as CVE-2022-3540, was privately reported to Zoho in June by a security researcher identified as Vinicius and was fixed later that same month. The researcher posted a more detailed writeup at the beginning of this month and, according to him, it’s a Java deserialization flaw inherited from an outdated version of Apache OFBiz, an open-source enterprise resource planning system, where it was patched in 2020 (CVE-2020-9496). This means that the Zoho ManageEngine products were vulnerable for two years due a failure to update a third-party component.Normally, Apache OFBiz exposes an XML-RPC endpoint at /webtools/control/xmlrpc, which can receive unauthenticated requests. Those requests can contain serialized arguments that are then deserialized and if the classpath contains any dangerous classes, remote code execution can be achieved. In the context of the OFBiz server, the attacker can run arbitrary system commands with the privileges of the servlet container running the server. Several Zoho ManageEngine products contain this component and expose the XML-RPC endpoint at /xmlrpc. One of the affected products is Zoho Password Manager Pro (PMP), which runs with NT Authority/system permissions, so successful exploitation can give an attacker full control over the server and access to the internal network. In addition to Zoho Password Manager Pro, the vulnerability was also found in ManageEngine Access Manager Plus, a web-based privileged session management solution for tracking remote connections, and ManageEngine PAM360, a privileged access management solution. All the impacted products are used for authentication and access management, so compromising any of them can have serious implications for an organization.Zoho advises users to upgrade to Access Manager Plus version 4303 or later, Password Manager Pro version 12101 or later and PAM360 5510 or later. The company says it has fixed the flaw by completely removing the vulnerable component from PAM360 and Access Manager Plus and removing the vulnerable XML-RPC parser from Password Manager Pro. How to check for the ManageEngine vulnerabilityIts security advisory includes steps for determining if a deployment has been targeted and potentially compromised:Navigate to /logs.Open the access_log_.txt file.Search for the keyword /xmlrpc POST in the text file. If this keyword is not found, your environment is not affected. If it is present, then proceed to the next step.Search for the following line in the logs files. If it is present, then your installation is compromised:[/xmlrpc-_###_https-jsse-nio2--exec-] ERROR org.apache.xmlrpc.server.XmlRpcErrorLogger - InvocationTargetException: java.lang.reflect.InvocationTargetExceptionIf an installation has been compromised, isolate the affected machine immediately and initiate an incident response investigation. Zoho asks users to send them a copy of all the application logs if a compromise has been detected. Related content news Zscaler shuts down exposed system after rumors of a cyberattack Initially dismissing rumors, Zscaler now says it did have a system exposed but nothing important has been accessed. By Shweta Sharma May 09, 2024 3 mins Data Breach Cyberattacks news Palo Alto launches AI-powered solutions to fight AI-generated cyberthreats The suite is powered by Palo Alto’s proprietary solution, Precision AI, which integrates machine learning, deep learning, and generative AI technologies. By Prasanth Aby Thomas May 09, 2024 3 mins Generative AI Security Software news F5 patches BIG-IP Next Central Manager flaws that could lead to device takeover Two high-risk vulnerabilities could allow attackers to gain full administrative control on devices via leaked password hashes. By Lucian Constantin May 08, 2024 5 mins Threat and Vulnerability Management Cloud Security Vulnerabilities news Suspected Chinese hack of Britain’s Ministry of Defence linked to contractor, minister confirms The UK’s defence minister would not confirm that the attack was conducted by an element of the Chinese state, rather blaming the “potential failings” of a partner. By John Dunn May 08, 2024 4 mins Aerospace and Defense Industry Data Breach Government PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe