CVE-2022-47966
Last modified
CVE-2022-47966 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. CISA has confirmed active exploitation in the wild. EPSS estimates a 99.75% chance of exploitation in the next 30 days.
Description
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by .
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Zohocorp | Manageengine Access Manager Plus | < 4.3 | — |
| Zohocorp | Manageengine Access Manager Plus | 4.3 | Build4300 |
| Zohocorp | Manageengine Ad360 | < 4.3 | — |
| Zohocorp | Manageengine Ad360 | 4.3 | 4300 |
| Zohocorp | Manageengine Adaudit Plus | < 7.0 | — |
| Zohocorp | Manageengine Adaudit Plus | 7.0 | 7000 |
| Zohocorp | Manageengine Admanager Plus | < 7.1 | — |
| Zohocorp | Manageengine Admanager Plus | 7.1 | 7100 |
| Zohocorp | Manageengine Adselfservice Plus | < 6.2 | — |
| Zohocorp | Manageengine Adselfservice Plus | 6.2 | 6200 |
| Zohocorp | Manageengine Analytics Plus | < 5.1 | — |
| Zohocorp | Manageengine Analytics Plus | 5.1 | 5100 |
| Zohocorp | Manageengine Assetexplorer | < 6.9 | — |
| Zohocorp | Manageengine Assetexplorer | 6.9 | 6900 |
| Zohocorp | Manageengine Key Manager Plus | < 6.4 | — |
| Zohocorp | Manageengine Key Manager Plus | 6.4 | 6400 |
| Zohocorp | Manageengine Pam360 | < 5.7 | — |
| Zohocorp | Manageengine Pam360 | 5.7 | Build5700 |
| Zohocorp | Manageengine Password Manager Pro | < 12.1 | — |
| Zohocorp | Manageengine Password Manager Pro | 12.1 | Build12100 |
| Zohocorp | Manageengine Servicedesk Plus | < 14.0 | — |
| Zohocorp | Manageengine Servicedesk Plus | 14.0 | 14000 |
| Zohocorp | Manageengine Servicedesk Plus Msp | < 13.0 | — |
| Zohocorp | Manageengine Servicedesk Plus Msp | 13.0 | 13000 |
| Zohocorp | Manageengine Supportcenter Plus | 11.0 | 11017 |
| Zohocorp | Manageengine Application Control Plus | < 10.1.2220.18 | — |
| Zohocorp | Manageengine Browser Security Plus | < 11.1.2238.6 | — |
| Zohocorp | Manageengine Device Control Plus | < 10.1.2220.18 | — |
| Zohocorp | Manageengine Endpoint Dlp Plus | < 10.1.2137.6 | — |
| Zohocorp | Manageengine Os Deployer | < 1.1.2243.1 | — |
| Zohocorp | Manageengine Patch Manager Plus | < 10.1.2220.18 | — |
| Zohocorp | Manageengine Remote Access Plus | < 10.1.2228.11 | — |
| Zohocorp | Manageengine Remote Monitoring And Management Central | < 10.1.41 | — |
| Zohocorp | Manageengine Vulnerability Manager Plus | < 10.1.2220.18 | — |
References
- http://packetstormsecurity.com/files/170882/Zoho-ManageEngine-ServiceDesk-Plus-14003-Remote-Code-Execution.htmlExploit, Third Party Advisory, VDB Entry
- http://packetstormsecurity.com/files/170925/ManageEngine-ADSelfService-Plus-Unauthenticated-SAML-Remote-Code-Execution.htmlExploit, Third Party Advisory, VDB Entry
- http://packetstormsecurity.com/files/170943/Zoho-ManageEngine-Endpoint-Central-MSP-10.1.2228.10-Remote-Code-Execution.htmlExploit, Third Party Advisory, VDB Entry
- https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966/rapid7-analysisExploit, Third Party Advisory
- https://blog.viettelcybersecurity.com/saml-show-stopper/Exploit, Third Party Advisory
- https://github.com/horizon3ai/CVE-2022-47966Third Party Advisory
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250aThird Party Advisory, US Government Resource
- https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/Exploit, Third Party Advisory
- https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.htmlPatch, Vendor Advisory
- http://packetstormsecurity.com/files/170882/Zoho-ManageEngine-ServiceDesk-Plus-14003-Remote-Code-Execution.htmlExploit, Third Party Advisory, VDB Entry
- http://packetstormsecurity.com/files/170925/ManageEngine-ADSelfService-Plus-Unauthenticated-SAML-Remote-Code-Execution.htmlExploit, Third Party Advisory, VDB Entry
- http://packetstormsecurity.com/files/170943/Zoho-ManageEngine-Endpoint-Central-MSP-10.1.2228.10-Remote-Code-Execution.htmlExploit, Third Party Advisory, VDB Entry
- https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966/rapid7-analysisExploit, Third Party Advisory
- https://blog.viettelcybersecurity.com/saml-show-stopper/Exploit, Third Party Advisory
- https://github.com/horizon3ai/CVE-2022-47966Third Party Advisory
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250aThird Party Advisory, US Government Resource
- https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/Exploit, Third Party Advisory
- https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.htmlPatch, Vendor Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-47966US Government Resource
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2022-47966?
How severe is CVE-2022-47966?
How do I fix CVE-2022-47966?
Are you affected by CVE-2022-47966?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST