Users of Zoho ManageEngine are being urged to patch their instances against a critical security vulnerability prior to the release of a proof-of-concept (PoC) exploit code.
Zoho recently released a security advisory about multiple ManageEngine products saying it relates to “an unauthenticated remote code execution vulnerability reported and patched” that is in many “ManageEngine products due to the usage of an outdated third-party dependency, Apache Santuario”.
The vulnerability allows an unauthenticated adversary to execute arbitrary code when the above SAML SSO criteria is met. Zoho says the issue has been fixed by updating the third-party module to the recent version. More details about ManageEngine can be found via their website https://www.manageengine.com/products/desktop-central/about-manageengine.html.