CVE-2022-47966

Vulnerability updated 7 months ago (2024-05-04T17:23:50.289Z)

Download STIX

Preview STIX

CVE-2022-47966 is a critical vulnerability discovered in Zoho ManageEngine ServiceDesk Plus, a widely used IT management software. The flaw was exploited by malicious actors to gain unauthorized access to the organization's systems and networks. The exploitation started just five days after proof-of-concepts (PoCs) for the exploit were publicly disclosed. The threat actors utilized this vulnerability to deliver and deploy a newer malware threat known as "QuiteRAT," which shares many capabilities with the Lazarus Group's MagicRAT malware but has a significantly smaller file size. This vulnerability had a Kenna risk score of 100 out of 100, indicating its high severity. The Peach Sandstorm Advanced Persistent Threat (APT) group was observed attempting to exploit this vulnerability along with another in Atlassian Confluence (CVE-2022-26134) to infiltrate target environments. In 2022, two exploits of the Zoho ManageEngine flaw (CVE-2022-47966) and one ProxyNotShell (CVE-2022-41080, -41082) sample were seen. Remote exploitation of vulnerable applications was a common attack method used by Peach Sandstorm, targeting known remote code execution (RCE) vulnerabilities in both Zoho ManageEngine and Atlas Confluence to gain initial access. North Korea's Lazarus Group and an unknown group that targeted a U.S. aeronautical organization also abused the Zoho ManageEngine vulnerability (CVE-2022-47966). In some instances, threat actors favored exploiting vulnerabilities over password spraying, specifically targeting RCE bugs in Zoho ManageEngine and Confluence. Protection against these threats, including the Zoho ManageEngine Remote Code Execution (CVE-2022-47966), was provided by Check Point IPS. The advisory noted that nation-state APT groups exploited this vulnerability to gain unauthorized access to the organization’s Zoho ManageEngine ServiceDesk Plus instance, subsequently moving laterally through its network.

Description last updated: 2024-03-15T01:16:28.465Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Manageengine

Vulnerability

Exploit

Remote Code ...

Confluence

Apt

RCE (Remote ...

Fortinet

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Conti Malware is associated with CVE-2022-47966. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra	has used	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Peach Sandstorm Threat Actor is associated with CVE-2022-47966. Peach Sandstorm, also known as Curious Serpens, APT33, Elfin, HOLMIUM, MAGNALIUM, or REFINED KITTEN, is a threat actor linked to the Iranian Islamic Revolutionary Guard Corps (IRGC). Active since at least 2013, this espionage group has primarily targeted aerospace and energy sectors, alongside gover	has used	3

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2022-26134 Vulnerability is associated with CVE-2022-47966. CVE-2022-26134 is a critical software vulnerability that was discovered in Atlassian Confluence Server and Data Center. This flaw, which allows for remote code execution (RCE), was publicly disclosed by Atlassian in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) recognized th	Unspecified	3
The CVE-2022-42475 Vulnerability is associated with CVE-2022-47966. The critical zero-day vulnerability, CVE-2022-42475, was discovered in FortiGate firewalls during an incident investigation by the vendor. This flaw in software design or implementation allows an unauthenticated attacker to execute arbitrary code on affected systems. The vulnerability is present in	Unspecified	2

Source Document References

Information about the CVE-2022-47966 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CISA	6 days ago	2023 Top Routinely Exploited Vulnerabilities \| CISA
CISA	4 months ago	North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs \| CISA
DARKReading	8 months ago	Fortinet Warns of Yet Another Critical RCE Flaw
CERT-EU	10 months ago	Actively exploited 0-days in Ivanti VPN are letting hackers backdoor networks \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
BankInfoSecurity	a year ago	Hackers Impersonate Meta Recruiter to Target Aerospace Firm
CERT-EU	a year ago	Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders
BankInfoSecurity	a year ago	Feds Warn Health Sector of Lazarus Group Attacks
CERT-EU	a year ago	Iranian Hackers Attack Thousands of Organizations Using Password Spraying
Securityaffairs	a year ago	Iranian Peach Sandstorm group behind recent password spray attacks - Security Affairs
DARKReading	a year ago	Microsoft: 'Peach Sandstorm' Cyberattacks Target Defense, Pharmaceutical Orgs
CERT-EU	a year ago	Global password spray attacks target thousands of organizations
CERT-EU	a year ago	Iranian Threat Group Hits Thousands With Password Spray Campaign
CERT-EU	a year ago	Cyber Security Week in Review: September 15, 2023
CERT-EU	a year ago	Iranian Nation-State Actors Employ Password Spray Attacks Targeting Multiple Sectors
DARKReading	a year ago	Iranian APT Hits US Aviation Org via ManageEngine, Fortinet Bugs
Checkpoint	a year ago	11th September – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	Google warns infoseccers getting N Korea's attention again
CERT-EU	a year ago	APTs hit aeronautic firms with Zoho and Fortinet bugs
CERT-EU	a year ago	SafeBreach Coverage for US-CERT Alert AA23-250A
CERT-EU	a year ago	Aviation sector organization hit by exploit of CVE duo \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting