‘Spray and pray’ attacks likely with Zoho ManageEngine RCE bug

Organizations using internet-exposed Zoho ManageEngine products with SAML single-sign-on enabled or previously enabled could be subjected to "spray and pray" attacks through CVE-2022-47966 exploitation, SecurityWeek reports. Attackers could leverage the easily exploitable vulnerability to facilitate complete system takeovers or deploy additional compromises, according to a report from Horizon3.ai. "Once an attacker has SYSTEM level access to the endpoint, attackers are likely to begin dumping credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement," said Horizon3.ai. More than 1,000 Zoho ManageEngine instance were found in a Shodan search to be internet-connected and have SAML enabled and while patches have been issued by Zoho last year, not all systems are expected to be remediated for the flaw. "We want to highlight that in some cases the vulnerability is exploitable even if SAML is not currently enabled, but was enabled sometime in the past. The safest course of action is to patch regardless of the SAML configuration of the product," said Horizon3.ai red-teamer James Horseman.