The PoC exploit is planned to be released to the public by the end of the week.
The Horizon3 research team has developed a PoC exploit that targets a critical vulnerability in several Zoho ManageEngine products. At the end of the week, they plan to put it online, in the public domain. So, apparently, white hat hackers want to attract the attention of developers so that they “patch” a security hole as soon as possible.
The vulnerability is known as CVE-2022-47966. It allows unauthorized attackers to execute arbitrary code on ManageEngine servers, that is, to carry out RCE attacks.
The list of vulnerable programs includes almost all ManageEngine products. However, Zoho has already released updates for most of them.
Researchers from Horizon3's Attack Team have already alerted Zoho that they have created an exploit based on the vulnerability described above. While they haven't released the technical details yet, only providing Generic Indicators of Compromise (IOC), Horizon3 plans to release their exploit later this week.
The Horizon3 researchers also shared a screenshot showing their exploit in action. Its performance is shown on the example of ManageEngine ServiceDesk Plus.
James Horsman, a researcher at Horizon3, found that approximately 10% of all available ManageEngine products are vulnerable to CVE-2022-47966 attacks.
Although there are no public reports of attacks using this vulnerability and attempts to exploit it in real conditions, according to GreyNoise, interested attackers will most likely quickly move on to create their own RCE exploits, as soon as Horizon3 publishes its PoC code.