cbcvebase.
CVE-2022-47966
published 2023-01-18

CVE-2022-47966: Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-02-13
Exploited in the wild
EPSS
99.75%
100.0th percentile
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).

Affected

34 ranges· showing 25
VendorProductVersion rangeFixed in
zohocorpmanageengine_access_manager_plus< 4.34.3
zohocorpmanageengine_access_manager_plus
zohocorpmanageengine_ad360< 4.34.3
zohocorpmanageengine_ad360
zohocorpmanageengine_adaudit_plus< 7.07.0
zohocorpmanageengine_adaudit_plus
zohocorpmanageengine_admanager_plus< 7.17.1
zohocorpmanageengine_admanager_plus
zohocorpmanageengine_adselfservice_plus< 6.26.2
zohocorpmanageengine_adselfservice_plus
zohocorpmanageengine_analytics_plus< 5.15.1
zohocorpmanageengine_analytics_plus
zohocorpmanageengine_application_control_plus< 10.1.2220.1810.1.2220.18
zohocorpmanageengine_assetexplorer< 6.96.9
zohocorpmanageengine_assetexplorer
zohocorpmanageengine_browser_security_plus< 11.1.2238.611.1.2238.6
zohocorpmanageengine_device_control_plus< 10.1.2220.1810.1.2220.18
zohocorpmanageengine_endpoint_dlp_plus< 10.1.2137.610.1.2137.6
zohocorpmanageengine_key_manager_plus< 6.46.4
zohocorpmanageengine_key_manager_plus
zohocorpmanageengine_os_deployer< 1.1.2243.11.1.2243.1
zohocorpmanageengine_pam360< 5.75.7
zohocorpmanageengine_pam360
zohocorpmanageengine_password_manager_pro< 12.112.1
zohocorpmanageengine_password_manager_pro

Detection & IOCsextracted from sources · hover to see the quote

filenamescvhost.exe
pathC:\Windows\Debug\a.conf
filenameobfs.ps1
filenamerecon.ps1
commandpvhost.exe -N -R 18118:127.0.0.1:8118 -P [Port] -l [username] -pw [password]
  • Alert on Cobalt Strike .dll and .ocx payload files launched via rundll32.exe and regsvr32.exe respectively, as used by Storm-0501 post-exploitation of CVE-2022-47966.
  • Monitor for execution of obfs.ps1 or recon.ps1 — obfuscated variants of ADRecon used for Active Directory reconnaissance post-exploitation.
  • Detect Lazarus Group's malicious Plink (pvhost.exe) establishing reverse tunnels; look for the -R flag forwarding port 8118 on localhost to remote port 18118.
  • Monitor for DeimosC2 Linux ELF beacon activity (GoLang-based C2 framework) on internet-facing Linux servers — Lazarus Group deployed this during initial access after exploiting CVE-2022-47966.
  • ·CVE-2022-47966 exploitation requires SAML SSO to have been configured at some point; for some products it must be currently active. Instances that have never had SAML SSO configured are not exploitable.
  • ·The vulnerability stems from Apache Santuario xmlsec (XML Security for Java) version 1.4.1, which by design delegates certain security protections to the application — ManageEngine products failed to implement those protections.
  • ·All affected ManageEngine products are on-premises only; cloud-hosted ManageEngine services are not affected. Patching was completed in late 2022.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.