September 7, 2023

CVE-2022-47966 and CVE-2022-42475

September 7, 2023

What we know so far

The Cybersecurity and Infrastructure Security Agency (CISA) conducted an incident response investigation from February to April 2023. The findings indicate that starting in January 2023, multiple nation-state Advanced Persistent Threat (APT) actors gained access to the organization's network through two distinct initial access points. The first access vector involved the exploitation of CVE-2022-47966 to breach the organization's web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus. The second access vector utilized CVE-2022-42475 to compromise the organization's firewall device. CISA and collaborating entities detected a range of threat actor activities, revealing common Tactics, Techniques, and Procedures (TTPs) shared among these APT actors. Their primary focus remains on identifying vulnerabilities in internet-facing devices, particularly firewalls, virtual private networks (VPNs), and other edge network infrastructure, which they exploit to expand network access or establish malicious infrastructure.

Arrow Right

Schedule a test

Subscribe to advisory alerts

Be immediately notified of new advisories and associated security tests

More advisories