Critical Zoho ManageEngine RCE Vulnerability
On the 22nd September 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) added a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting Zoho ManageEngine products to their Known Exploited Vulnerabilities catalog. This vulnerability has a CVSS score of 9.8 and exploits a java deserialisation vulnerability that allows an unauthenticated attacker to send a specially crafted XML-RPC request to execute remote code as SYSTEM. This vulnerability can be used by an attacker to receive elevated privileges a target host.
Publicly available proof of concept (PoC) code has been online since August as well as a Metasploit module targeting this specific vulnerability. Brace168 strong recommends patching all Zoho ManageEngine products to their most recent version as a priority.