Threat actors are exploiting unpatched ManageEngine instances. CISA adds the vulnerability to its catalog and Zoho urges customers to check their deployments. Credit: Thinkstock A remote code execution vulnerability in Zoho’s ManageEngine, a popular IT management solution for enterprises, is being exploited in the wild. The US Cybersecurity & Infrastructure Security Agency (CISA) added the flaw to its catalog of known exploited vulnerabilities last week, highlighting an immediate threat for organizations that haven’t yet patched their vulnerable deployments.The vulnerability, tracked as CVE-2022-3540, was privately reported to Zoho in June by a security researcher identified as Vinicius and was fixed later that same month. The researcher posted a more detailed writeup at the beginning of this month and, according to him, it’s a Java deserialization flaw inherited from an outdated version of Apache OFBiz, an open-source enterprise resource planning system, where it was patched in 2020 (CVE-2020-9496). This means that the Zoho ManageEngine products were vulnerable for two years due a failure to update a third-party component.Normally, Apache OFBiz exposes an XML-RPC endpoint at /webtools/control/xmlrpc, which can receive unauthenticated requests. Those requests can contain serialized arguments that are then deserialized and if the classpath contains any dangerous classes, remote code execution can be achieved. In the context of the OFBiz server, the attacker can run arbitrary system commands with the privileges of the servlet container running the server. Several Zoho ManageEngine products contain this component and expose the XML-RPC endpoint at /xmlrpc. One of the affected products is Zoho Password Manager Pro (PMP), which runs with NT Authority/system permissions, so successful exploitation can give an attacker full control over the server and access to the internal network. In addition to Zoho Password Manager Pro, the vulnerability was also found in ManageEngine Access Manager Plus, a web-based privileged session management solution for tracking remote connections, and ManageEngine PAM360, a privileged access management solution. All the impacted products are used for authentication and access management, so compromising any of them can have serious implications for an organization.Zoho advises users to upgrade to Access Manager Plus version 4303 or later, Password Manager Pro version 12101 or later and PAM360 5510 or later. The company says it has fixed the flaw by completely removing the vulnerable component from PAM360 and Access Manager Plus and removing the vulnerable XML-RPC parser from Password Manager Pro. How to check for the ManageEngine vulnerabilityIts security advisory includes steps for determining if a deployment has been targeted and potentially compromised:Navigate to /logs.Open the access_log_.txt file.Search for the keyword /xmlrpc POST in the text file. If this keyword is not found, your environment is not affected. If it is present, then proceed to the next step.Search for the following line in the logs files. If it is present, then your installation is compromised:[/xmlrpc-_###_https-jsse-nio2--exec-] ERROR org.apache.xmlrpc.server.XmlRpcErrorLogger - InvocationTargetException: java.lang.reflect.InvocationTargetExceptionIf an installation has been compromised, isolate the affected machine immediately and initiate an incident response investigation. Zoho asks users to send them a copy of all the application logs if a compromise has been detected. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe