CISA warns of active exploitation of critical RCE bug affecting Zoho ManageEngine products
The vendor has already released security updates to fix the issue
The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical Java deserialisation bug affecting multiple Zoho ManageEngine products to its Known Exploited Vulnerabilities (KEV) catalogue and warned that the flaw has been actively exploited in attacks.
CISA has issued a directive to all agencies that fall under the Federal Civilian Executive Branch (FCEB) requiring them to patch the vulnerability by October 13 to ensure that their networks are protected from exploitation attempts.
A legally binding operational directive (BOD 22-01) issued by CISA in November requires FCEB agencies to safeguard their systems against vulnerabilities that are added to the KEV Catalogue in order to lessen the risk of known exploitable bugs across US government networks.
The remote code execution (RCE) vulnerability, indexed as CVE-2022-35405, can be exploited in attacks with a minimal level of sophistication and without requiring user interaction.
A successful attack would enable threat actors to achieve RCE on servers running unpatched Zoho ManageEngine PAM360, Password Manager Pro or Access Manager Plus software.
According to ManageEngine, authentication is not required to exploit the vulnerability in Password Manager Pro and PAM360 products.
Since August, both a Metasploit module and proof-of-concept (PoC) exploit code have been available online.
ManageEngine released security updates to fix this problem in July, and warned users that the exploit POC for the weakness is publicly available.
'We strongly recommend our customers to upgrade the instances of Password Manager Pro, PAM360 and Access Manager Plus immediately,' the company said.
The following versions now have the complete fix for the vulnerability:
- Access Manager Plus - affected version(s) 4302 and below - fixed version 4303
- Password Manager Pro - affected version(s) 12100 and below - fixed version 12101
- PAM360 - affected version(s) 5500 and below - fixed version 5510
According to ManageEngine, the vulnerability is resolved by:
- removing all susceptible components from Access Manager Plus and PAM360
- removing the vulnerable parsers from Password Manager Pro
CISA strongly encourages all organisations to reduce their exposure to cyberattacks by prioritising the timely remediation of KEV catalogue vulnerabilities as part of their vulnerability management practice, despite BOD 22-01 only applying to FCEB agencies.
Since issuing the binding directive in November, CISA has added more than 800 security weaknesses to its KEV catalogue that are exploited in attacks, necessitating tighter schedule for federal agencies to fix them in order to prevent security breaches.
Earlier this month, CISA added 12 security vulnerabilities, including a Google Chrome zero day, to its KEV catalogue based on evidence of active exploitation.
According to CISA, these bugs present a serious threat to the federal enterprise and are a common attack vector for malicious actors.
Last month, the agency warned of active exploitation of a security vulnerability impacting Palo Alto Networks' PAN-OS.