Threat actors are exploiting unpatched ManageEngine instances. CISA adds the vulnerability to its catalog and Zoho urges customers to check their deployments. Credit: Thinkstock A remote code execution vulnerability in Zoho’s ManageEngine, a popular IT management solution for enterprises, is being exploited in the wild. The US Cybersecurity & Infrastructure Security Agency (CISA) added the flaw to its catalog of known exploited vulnerabilities last week, highlighting an immediate threat for organizations that haven’t yet patched their vulnerable deployments.The vulnerability, tracked as CVE-2022-3540, was privately reported to Zoho in June by a security researcher identified as Vinicius and was fixed later that same month. The researcher posted a more detailed writeup at the beginning of this month and, according to him, it’s a Java deserialization flaw inherited from an outdated version of Apache OFBiz, an open-source enterprise resource planning system, where it was patched in 2020 (CVE-2020-9496). This means that the Zoho ManageEngine products were vulnerable for two years due a failure to update a third-party component.Normally, Apache OFBiz exposes an XML-RPC endpoint at /webtools/control/xmlrpc, which can receive unauthenticated requests. Those requests can contain serialized arguments that are then deserialized and if the classpath contains any dangerous classes, remote code execution can be achieved. In the context of the OFBiz server, the attacker can run arbitrary system commands with the privileges of the servlet container running the server. Several Zoho ManageEngine products contain this component and expose the XML-RPC endpoint at /xmlrpc. One of the affected products is Zoho Password Manager Pro (PMP), which runs with NT Authority/system permissions, so successful exploitation can give an attacker full control over the server and access to the internal network. In addition to Zoho Password Manager Pro, the vulnerability was also found in ManageEngine Access Manager Plus, a web-based privileged session management solution for tracking remote connections, and ManageEngine PAM360, a privileged access management solution. All the impacted products are used for authentication and access management, so compromising any of them can have serious implications for an organization.Zoho advises users to upgrade to Access Manager Plus version 4303 or later, Password Manager Pro version 12101 or later and PAM360 5510 or later. The company says it has fixed the flaw by completely removing the vulnerable component from PAM360 and Access Manager Plus and removing the vulnerable XML-RPC parser from Password Manager Pro. How to check for the ManageEngine vulnerabilityIts security advisory includes steps for determining if a deployment has been targeted and potentially compromised:Navigate to /logs.Open the access_log_.txt file.Search for the keyword /xmlrpc POST in the text file. If this keyword is not found, your environment is not affected. If it is present, then proceed to the next step.Search for the following line in the logs files. If it is present, then your installation is compromised:[/xmlrpc-_###_https-jsse-nio2--exec-] ERROR org.apache.xmlrpc.server.XmlRpcErrorLogger - InvocationTargetException: java.lang.reflect.InvocationTargetExceptionIf an installation has been compromised, isolate the affected machine immediately and initiate an incident response investigation. Zoho asks users to send them a copy of all the application logs if a compromise has been detected. Related content news Administrator of ransomware operation LockBit named, charged, has assets frozen A Russian national alleged to have been the administrator of the notorious and prolific LockBit ransomware provider faces international charges. A $10-million reward for the suspect’s arrest has been offered. By Lucian Constantin May 07, 2024 3 mins Advanced Persistent Threats Hacker Groups Ransomware news US deploys commerce and communications against cyber threats, Blinken says The US government is moving to address the challenges of quantum computing, cloud strategies, and generative AI, Anthony Blinken said in a speech that was light on specifics. By Evan Schuman May 07, 2024 4 mins Cyberattacks Government Threat and Vulnerability Management news Change Healthcare went without cyber insurance before debilitating ransomware attack In doing so, Change exposed itself not just to greater financial risk, but reputational damage too. By John Leyden May 07, 2024 5 mins Data Breach Ransomware news Citrix quietly fixes a new critical vulnerability similar to Citrix Bleed Much similar to Citrix-Bleed, the information disclosure bug was identified within NetScaler devices configured as gateway or virtual servers. By Shweta Sharma May 07, 2024 3 mins Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe