⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2023-02-13.

CVE-2022-47966

CWE-20Improper Input ValidationCWE-30324 documents14 sources
Severity
9.8CRITICAL
EPSS
94.4%
top 0.03%
CISA KEV
KEVRansomware
Added 2023-01-23
Due 2023-02-13
Exploit
Exploited in wild
Active exploitation observed
Affected products
22
Zohocorp Manageengine Access Manager PlusZohocorp Manageengine Ad360Zohocorp Manageengine Adaudit Plus+19 more
Timeline
PublishedJan 18
KEV addedJan 23
KEV dueFeb 13
Latest updateSep 26
CISA Required Action: Apply updates per vendor instructions.

Description

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManage

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages22 packages

Patches

Patch: www.manageengine.comPatch: www.manageengine.com

🔴Vulnerability Details

3
CVEList
CVE-2022-47966: Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xml2023-01-18
GHSA
GHSA-mqq7-v29v-25f6: Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka X2023-01-18
VulnCheck
Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability2022

💥Exploits & PoCs

4
Metasploit
ManageEngine ServiceDesk Plus Unauthenticated SAML RCE
Metasploit
ManageEngine ADSelfService Plus Unauthenticated SAML RCE
Metasploit
ManageEngine Endpoint Central Unauthenticated SAML RCE
Nuclei
ManageEngine - Remote Command Execution

🔍Detection Rules

5
Suricata
ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M10 (CVE-2022-47966)2023-05-02
Suricata
ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M11 (CVE-2022-47966)2023-05-02
Suricata
ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M12 (CVE-2022-47966)2023-05-02
Suricata
ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M1 (CVE-2022-47966)2023-01-19
Suricata
ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M2 (CVE-2022-47966)2023-01-19

📋Vendor Advisories

2
CISA
Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability2023-01-23
Red Hat
ManageEngine: remote code execution vulnerability in multiple ManageEngine products2023-01-19

🕵️Threat Intelligence

6
Microsoft
Storm-0501: Ransomware attacks expanding to hybrid cloud environments2024-09-26
Talos
Lazarus Group's infrastructure reuse leads to discovery of new malware2023-08-24
Talos
Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT2023-08-24
Talos
Lazarus Group's infrastructure reuse leads to discovery of new malware2023-08-24
Sentinelone
CVE-2022-47966: Zoho ManageEngine Vulnerability2023-02-24
CVE-2022-47966 (CRITICAL CVSS 9.8) | Multiple Zoho ManageEngine on-premi | cvebase.io