Threat actors have been actively exploiting a vulnerability impacting various Zoho ManageEngine products, tracked as CVE-2022-47966, which has already been patched between October and November, according to The Record, a news site by cybersecurity firm Recorded Future.
Attacks leveraging the flaw were first discovered by Rapid7 on Jan. 18.
"Organizations using any of the affected products listed in ManageEngines advisory should update immediately and review unpatched systems for signs of compromise, as exploit code is publicly available and exploitation has already begun," said Rapid7 researchers.
Zoho ManageEngine products with Security Assertion Markup Language single sign-on enabled were particularly vulnerable to the attack, with Horizon3.ai Head of Attack Engineering Eric Fredrickson noting that a Shodan search found that more than 1,000 instances met such requirement.
"In a worst case scenario, an attacker would gain complete control of the system running the vulnerable ManageEngine project. From there, an attacker can pivot to other machines in the network, dump credentials, and deploy malware/ransomware," said Fredrickson.