Remote code execution vulnerability in multiple Manage Engine products
Unauthenticated threat actors can execute arbitrary code on ManageEngine instances following successful exploitation if the SAML-based single-sign-on (SSO) is/was enabled in the ManageEngine setup.
This pre-authentication RCE flaw is tracked as “CVE-2022-47966” and derives from using an outdated and vulnerable version of the Apache Santuario library.
Kindly proceed with the installation of the relevant updated versions of these products. This issue has been fixed by updating the third-party module (Apache Santuario) to the recent version.
References / IOCs:
The Threat Hunting and SOC teams of OBRELA remain vigilant and continue to monitor the activity.