CVE-2022-47966

Vulnerability Profile Updated a month ago
Download STIX
Preview STIX
CVE-2022-47966 is a critical vulnerability discovered in Zoho ManageEngine ServiceDesk Plus, a widely used IT management software. The flaw was exploited by malicious actors to gain unauthorized access to the organization's systems and networks. The exploitation started just five days after proof-of-concepts (PoCs) for the exploit were publicly disclosed. The threat actors utilized this vulnerability to deliver and deploy a newer malware threat known as "QuiteRAT," which shares many capabilities with the Lazarus Group's MagicRAT malware but has a significantly smaller file size. This vulnerability had a Kenna risk score of 100 out of 100, indicating its high severity. The Peach Sandstorm Advanced Persistent Threat (APT) group was observed attempting to exploit this vulnerability along with another in Atlassian Confluence (CVE-2022-26134) to infiltrate target environments. In 2022, two exploits of the Zoho ManageEngine flaw (CVE-2022-47966) and one ProxyNotShell (CVE-2022-41080, -41082) sample were seen. Remote exploitation of vulnerable applications was a common attack method used by Peach Sandstorm, targeting known remote code execution (RCE) vulnerabilities in both Zoho ManageEngine and Atlas Confluence to gain initial access. North Korea's Lazarus Group and an unknown group that targeted a U.S. aeronautical organization also abused the Zoho ManageEngine vulnerability (CVE-2022-47966). In some instances, threat actors favored exploiting vulnerabilities over password spraying, specifically targeting RCE bugs in Zoho ManageEngine and Confluence. Protection against these threats, including the Zoho ManageEngine Remote Code Execution (CVE-2022-47966), was provided by Check Point IPS. The advisory noted that nation-state APT groups exploited this vulnerability to gain unauthorized access to the organization’s Zoho ManageEngine ServiceDesk Plus instance, subsequently moving laterally through its network.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Manageengine
Vulnerability
Exploit
Remote Code ...
Confluence
Fortinet
RCE (Remote ...
Apt
Implant
Malware
State Sponso...
Uk
Fortios
CISA
Iran
Microsoft
flaw
Apache
Windows
Infiltration
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ContiUnspecified
1
Conti is a type of malware, specifically ransomware, that was used to exploit and damage computer systems. This malicious software could infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it could steal personal information, disrupt ope
CollectionratUnspecified
1
CollectionRAT is a newly identified malware, discovered by cybersecurity researchers who traced its origins through reused infrastructure components. This malicious software, short for Malware, is designed to exploit and damage computers or devices, often infiltrating systems via suspicious download
MagicratUnspecified
1
MagicRAT is a type of malware, first observed by Cisco Talos in 2022, that was used by the Lazarus Group to exploit vulnerabilities in publicly exposed VMWare Horizon platforms, primarily targeting energy companies worldwide. This malicious software, which can infiltrate systems through suspicious d
QuiteratUnspecified
1
QuiteRAT is a new type of malware associated with the North Korea-linked Lazarus Group, known for their use of custom malware. Built using the Qt framework, QuiteRAT is smaller in size compared to MagicRAT, another malware linked to the group, due to its incorporation of fewer Qt libraries and lack
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Peach Sandstormhas used
3
Peach Sandstorm, also known as Curious Serpens, APT33, Elfin, HOLMIUM, MAGNALIUM, and REFINED KITTEN, is a threat actor group believed to be linked to the Iranian nation-state. The group has been active since at least 2013 and has previously targeted sectors such as aerospace and energy for espionag
Lazarus GroupUnspecified
1
The Lazarus Group, a notorious threat actor attributed to North Korea, has been linked to numerous high-profile cyberattacks worldwide. This group is known for its sophisticated techniques and exploits, including the largest decentralized finance exploit in history, the Ronin exploit of March 2022,
Mint SandstormUnspecified
1
Mint Sandstorm, an Iranian nation-state threat actor also known as APT35 and Charming Kitten, has been identified by Microsoft as a significant cybersecurity concern. The group is linked to Iran's Islamic Revolutionary Guard Corps and is known for its sophisticated cyber campaigns targeting high-val
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2022-26134Unspecified
3
CVE-2022-26134 is a critical software vulnerability that was discovered in Atlassian Confluence Server and Data Center. This flaw, which allows for remote code execution (RCE), was publicly disclosed by Atlassian in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) recognized th
CVE-2022-42475Unspecified
2
The critical zero-day vulnerability, CVE-2022-42475, was discovered in FortiGate firewalls during an incident investigation by the vendor. This flaw in software design or implementation allows an unauthenticated attacker to execute arbitrary code on affected systems. The vulnerability is present in
CVE-2022-41080Unspecified
1
CVE-2022-41080 is a significant software vulnerability identified in 2022, specifically a flaw in the design or implementation of Microsoft Exchange Server. This vulnerability enables Server-Side Request Forgery (SSRF), potentially allowing malicious actors to manipulate server requests and execute
Proxynotshell Cve-2022-41080Unspecified
1
None
ProxynotshellUnspecified
1
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
Citrix BleedUnspecified
1
Citrix Bleed, identified as CVE-2023-4966, is a severe software vulnerability in Citrix Netscaler Gateway and Netscaler ADC products, with a high CVSS score of 9.4 indicating its critical nature. This flaw allows for sensitive information disclosure, bypassing password requirements and multifactor a
Log4ShellUnspecified
1
Log4Shell, a critical vulnerability in the logging feature of the Java programming language, also known as Log4j, was publicly disclosed on December 9th. This software flaw affected millions of devices and applications globally, including those in Estonia. The vulnerability, officially designated as
CVE-2021-40539Unspecified
1
None
Source Document References
Information about the CVE-2022-47966 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
3 months ago
Fortinet Warns of Yet Another Critical RCE Flaw
CERT-EU
10 months ago
Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT
CERT-EU
10 months ago
North Korean APT Hacks Internet Infrastructure Provider via ManageEngine Flaw
DARKReading
9 months ago
Iranian APT Hits US Aviation Org via ManageEngine, Fortinet Bugs
CERT-EU
10 months ago
North Korea's Lazarus APT Uses GUI Framework to Build Stealthy RAT
CERT-EU
10 months ago
North Korea threat group exploiting ManageEngine ServiceDesk bug
CERT-EU
9 months ago
Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders
CERT-EU
9 months ago
Aviation sector organization hit by exploit of CVE duo | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
SecurityIntelligence.com
10 months ago
X-Force releases detection & response framework for managed file transfer software
CERT-EU
9 months ago
APTs hit aeronautic firms with Zoho and Fortinet bugs
DARKReading
9 months ago
Microsoft: 'Peach Sandstorm' Cyberattacks Target Defense, Pharmaceutical Orgs
Flashpoint
a year ago
ManageEngine Patch Released, But Apache Santuario Users Could Still Be At Risk
CERT-EU
9 months ago
Cyber Security Week in Review: September 8, 2023
CERT-EU
a year ago
Iranian Hackers Target U.S. Energy and Transit Systems
CERT-EU
10 months ago
Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders
CERT-EU
10 months ago
Lazarus Group Exploits Critical Zoho ManageEngine Flaw to Deploy Stealthy QuiteRAT Malware
CERT-EU
10 months ago
Lazarus Employs Public ManageEngine Exploit to Breach Internet Firms | IT Security News
CERT-EU
9 months ago
SafeBreach Coverage for US-CERT Alert AA23-250A
CERT-EU
9 months ago
CISA Warning: Nation-State Hackers Exploit Fortinet and Zoho Vulnerabilities
Securityaffairs
9 months ago
Nation-state actors exploit Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus, CISA warns