Users of Zoho ManageEngine are being urged to patch their instances against a critical security vulnerability prior to the release of a proof-of-concept (PoC) exploit code.
Zoho recently released a security advisory about multiple ManageEngine products saying it relates to “an unauthenticated remote code execution vulnerability reported and patched” that is in many “ManageEngine products due to the usage of an outdated third-party dependency, Apache Santuario”.
The vulnerability allows an unauthenticated adversary to execute arbitrary code when the above SAML SSO criteria is met. Zoho says the issue has been fixed by updating the third-party module to the recent version. More details about ManageEngine can be found via their website https://www.manageengine.com/products/desktop-central/about-manageengine.html.
Having had some real bad experiences with IT companies in the past it has been a breath of fresh air to have you and your team assisting all of my staff with any issues that have arisen.
- Tony King -