Unpatched Zoho Devices
by Artie Kaye
A proof of concept exploit will be made public soon regarding a vulnerability that was patched last year in many Zoho ManageEngine products. The remote code execution flaw does not require authentication to use. As with all instances of security holes being made known to the public an increase of attacks will follow shortly after. If you are using any of the programs listed in the first link below, patch them at your soonest availability.
The flaw is listed as CVE-2022-47966.
https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html
https://www.securityweek.com/researchers-brace-zoho-manageengine-spray-and-pray-attacks
https://thehackernews.com/2023/01/zoho-manageengine-poc-exploit-to-be.html
CISA Advises Patching Flaws in ICS
by Artie Kaye
Vulnerabilities in various industrial control systems are outlined by CISA with mitigations and solutions. The items below are companies and their respective devices which can be patched. Due to the high severity of the flaws, it is recommended patching as soon as possible.
GE
Proficy Historian
Mitsubishi
Electric MELSEC iQ-F, iQ-R Series
Siemens
SINEC INS
S7-1500 CPU devices
Mendix SAML Module
Automation License Manager
Solid Edge before V2023 MP1
Contec
CONPROSYS HMI System (CHS) (Update A)
Sewio
RTLS Studio
RONDS
Equipment Predictive Maintenance Solution
InHand
Networks InRouter
Panasonic
Sanyo CCTV Network Camera
SAUTER
Controls Nova 200 – 220 Series (PLC 6)
Johnson
Controls Metasys
Hitachi
Energy Lumada APM
Philips
Patient Information Center iX (PIC iX) and Efficia CM Series (Update A)
https://thehackernews.com/2023/01/cisa-warns-of-flaws-in-siemens-ge.html