CVE-2022-47966
published 2023-01-18CVE-2022-47966: Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-02-13
Exploited in the wild
EPSS
99.75%
100.0th percentile
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).
Affected
34 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_access_manager_plus | < 4.3 | 4.3 |
| zohocorp | manageengine_access_manager_plus | — | — |
| zohocorp | manageengine_ad360 | < 4.3 | 4.3 |
| zohocorp | manageengine_ad360 | — | — |
| zohocorp | manageengine_adaudit_plus | < 7.0 | 7.0 |
| zohocorp | manageengine_adaudit_plus | — | — |
| zohocorp | manageengine_admanager_plus | < 7.1 | 7.1 |
| zohocorp | manageengine_admanager_plus | — | — |
| zohocorp | manageengine_adselfservice_plus | < 6.2 | 6.2 |
| zohocorp | manageengine_adselfservice_plus | — | — |
| zohocorp | manageengine_analytics_plus | < 5.1 | 5.1 |
| zohocorp | manageengine_analytics_plus | — | — |
| zohocorp | manageengine_application_control_plus | < 10.1.2220.18 | 10.1.2220.18 |
| zohocorp | manageengine_assetexplorer | < 6.9 | 6.9 |
| zohocorp | manageengine_assetexplorer | — | — |
| zohocorp | manageengine_browser_security_plus | < 11.1.2238.6 | 11.1.2238.6 |
| zohocorp | manageengine_device_control_plus | < 10.1.2220.18 | 10.1.2220.18 |
| zohocorp | manageengine_endpoint_dlp_plus | < 10.1.2137.6 | 10.1.2137.6 |
| zohocorp | manageengine_key_manager_plus | < 6.4 | 6.4 |
| zohocorp | manageengine_key_manager_plus | — | — |
| zohocorp | manageengine_os_deployer | < 1.1.2243.1 | 1.1.2243.1 |
| zohocorp | manageengine_pam360 | < 5.7 | 5.7 |
| zohocorp | manageengine_pam360 | — | — |
| zohocorp | manageengine_password_manager_pro | < 12.1 | 12.1 |
| zohocorp | manageengine_password_manager_pro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on Cobalt Strike .dll and .ocx payload files launched via rundll32.exe and regsvr32.exe respectively, as used by Storm-0501 post-exploitation of CVE-2022-47966. ↗
- →Monitor for execution of obfs.ps1 or recon.ps1 — obfuscated variants of ADRecon used for Active Directory reconnaissance post-exploitation. ↗
- →Detect Lazarus Group's malicious Plink (pvhost.exe) establishing reverse tunnels; look for the -R flag forwarding port 8118 on localhost to remote port 18118. ↗
- →Monitor for DeimosC2 Linux ELF beacon activity (GoLang-based C2 framework) on internet-facing Linux servers — Lazarus Group deployed this during initial access after exploiting CVE-2022-47966. ↗
- ·CVE-2022-47966 exploitation requires SAML SSO to have been configured at some point; for some products it must be currently active. Instances that have never had SAML SSO configured are not exploitable. ↗
- ·The vulnerability stems from Apache Santuario xmlsec (XML Security for Java) version 1.4.1, which by design delegates certain security protections to the application — ManageEngine products failed to implement those protections. ↗
- ·All affected ManageEngine products are on-premises only; cloud-hosted ManageEngine services are not affected. Patching was completed in late 2022. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mqq7-v29v-25f6: Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka X
ghsa_unreviewed·2023-01-18
CVE-2022-47966 [CRITICAL] CWE-20 GHSA-mqq7-v29v-25f6: Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka X
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.
VulnCheck
Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-47966 [CRITICAL] Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
Multiple Zoho ManageEngine products contain an unauthenticated remote code execution vulnerability due to the usage of an outdated third-party dependency, Apache Santuario.
Affected: Zoho ManageEngine
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.rapid7.com/blog/post/2023/01/19/etr-cve-2022-47966-rapid7-observed-exploitation-of-critical-manageengine-vulnerability/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/; https://www.microsoft.com/en-us/securi
CISA
Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
cisa·2023-01-23·CVSS 9.8
CVE-2022-47966 [CRITICAL] Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
Vulnerability: Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
Affected: Zoho ManageEngine
Multiple Zoho ManageEngine products contain an unauthenticated remote code execution vulnerability due to the usage of an outdated third-party dependency, Apache Santuario.
Required Action: Apply updates per vendor instructions.
Notes: https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html; https://nvd.nist.gov/vuln/detail/CVE-2022-47966
Remediation Due Date: 2023-02-13
Red Hat
ManageEngine: remote code execution vulnerability in multiple ManageEngine products
vendor_redhat·2023-01-19·CVSS 9.8
CVE-2022-47966 [CRITICAL] CWE-303 ManageEngine: remote code execution vulnerability in multiple ManageEngine products
ManageEngine: remote code execution vulnerability in multiple ManageEngine products
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus
Suricata
ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M10 (CVE-2022-47966)
suricata·2023-05-02·CVSS 9.8
CVE-2022-47966 [CRITICAL] ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M10 (CVE-2022-47966)
ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M10 (CVE-2022-47966)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M10 (CVE-2022-47966)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"SAMLResponse="; startswith; fast_pattern; nocase; base64_decode:offset 0, relative; base64_data; content:"|3a|getRuntime|28 29|"; nocase; content:"|3a|exec|28|"; nocase; reference:cve,2022-47966; classtype:attempted-admin; sid:2045301; rev:1; metadata:attack_target Server, created_at 2023_05_02, cve CVE_2022_47966, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag ManageEngine, tag CISA_KEV, tag Description_Gene
Suricata
ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M11 (CVE-2022-47966)
suricata·2023-05-02·CVSS 9.8
CVE-2022-47966 [CRITICAL] ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M11 (CVE-2022-47966)
ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M11 (CVE-2022-47966)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M11 (CVE-2022-47966)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"SAMLResponse="; startswith; fast_pattern; nocase; base64_decode:offset 0, relative; base64_data; content:"|3a|eval|28|"; nocase; reference:cve,2022-47966; classtype:attempted-admin; sid:2045302; rev:1; metadata:attack_target Server, created_at 2023_05_02, cve CVE_2022_47966, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_05_02; target:de
Suricata
ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M12 (CVE-2022-47966)
suricata·2023-05-02·CVSS 9.8
CVE-2022-47966 [CRITICAL] ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M12 (CVE-2022-47966)
ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M12 (CVE-2022-47966)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M12 (CVE-2022-47966)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"SAMLResponse="; startswith; fast_pattern; nocase; base64_decode:offset 0, relative; base64_data; content:"getEngineByName"; nocase; content:"nashorn"; nocase; reference:cve,2022-47966; classtype:attempted-admin; sid:2045303; rev:1; metadata:attack_target Server, created_at 2023_05_02, cve CVE_2022_47966, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag ManageEngine, tag CISA_KEV, tag Description_Generated_By_Pr
Suricata
ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M1 (CVE-2022-47966)
suricata·2023-01-19·CVSS 9.8
CVE-2022-47966 [CRITICAL] ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M1 (CVE-2022-47966)
ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M1 (CVE-2022-47966)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M1 (CVE-2022-47966)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|27|SAMLResponse|27|"; fast_pattern; content:"|3a|"; within:5; content:"|27|"; base64_decode:offset 0, relative; base64_data; content:"|3a|getRuntime|28 29|"; content:"|3a|exec|28|"; reference:cve,2022-47966; classtype:attempted-admin; sid:2043335; rev:2; metadata:attack_target Server, created_at 2023_01_19, cve CVE_2022_47966, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_03_08, reviewed_at 2023_10_11, mitre_tactic_i
Suricata
ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M2 (CVE-2022-47966)
suricata·2023-01-19·CVSS 9.8
CVE-2022-47966 [CRITICAL] ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M2 (CVE-2022-47966)
ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M2 (CVE-2022-47966)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M2 (CVE-2022-47966)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|SAMLResponse|22|"; fast_pattern; content:"|3a|"; within:5; content:"|22|"; base64_decode:offset 0, relative; base64_data; content:"|3a|getRuntime|28 29|"; content:"|3a|exec|28|"; reference:cve,2022-47966; classtype:attempted-admin; sid:2043336; rev:2; metadata:attack_target Server, created_at 2023_01_19, cve CVE_2022_47966, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_03_08, reviewed_at 2023_10_11, mitre_tactic_i
Metasploit
ManageEngine ServiceDesk Plus Unauthenticated SAML RCE
metasploit·CVSS 9.8
CVE-2022-47966 [CRITICAL] ManageEngine ServiceDesk Plus Unauthenticated SAML RCE
ManageEngine ServiceDesk Plus Unauthenticated SAML RCE
This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted `samlResponse` XML to the ServiceDesk Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.
Metasploit
ManageEngine ADSelfService Plus Unauthenticated SAML RCE
metasploit·CVSS 9.8
CVE-2022-47966 [CRITICAL] ManageEngine ADSelfService Plus Unauthenticated SAML RCE
ManageEngine ADSelfService Plus Unauthenticated SAML RCE
This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine AdSelfService Plus versions 6210 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted `samlResponse` XML to the ADSelfService Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.
Metasploit
ManageEngine Endpoint Central Unauthenticated SAML RCE
metasploit·CVSS 9.8
CVE-2022-47966 [CRITICAL] ManageEngine Endpoint Central Unauthenticated SAML RCE
ManageEngine Endpoint Central Unauthenticated SAML RCE
This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine Endpoint Central and MSP versions 10.1.2228.10 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted `samlResponse` XML to the Endpoint Central SAML endpoint. Note that the target is only vulnerable if it is configured with SAML-based SSO , and the service should be active.
Nuclei
ManageEngine - Remote Command Execution
nuclei·CVSS 9.8
CVE-2022-47966 [CRITICAL] ManageEngine - Remote Command Execution
ManageEngine - Remote Command Execution
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.
Template:
id: CVE-2022-47966
info:
name: ManageEngine - Remote Command Execution
author: rootxharsh,iamnoooob,DhiyaneshDK,pdresearch
severity: critical
description: |
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features,
Tenable
CVE-2026-35616: Fortinet FortiClientEMS improper access control vulnerability exploited in the wild
blogs_tenable·2026-04-06·CVSS 9.8
[CRITICAL] CVE-2026-35616: Fortinet FortiClientEMS improper access control vulnerability exploited in the wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2025-64155 PoC released Command Injection Vulnerability
blogs_tenable·2026-01-14·CVSS 9.8
[CRITICAL] CVE-2025-64155 PoC released Command Injection Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2025-64446 FortiWeb Zero-Day Exploited
blogs_tenable·2025-11-14·CVSS 9.8
[CRITICAL] CVE-2025-64446 FortiWeb Zero-Day Exploited
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2025-25256: Proof of Concept Released for Critical Fortinet FortiSIEM Command Injection Vulnerability
blogs_tenable·2025-08-13·CVSS 9.8
[CRITICAL] CVE-2025-25256: Proof of Concept Released for Critical Fortinet FortiSIEM Command Injection Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Frequently Asked Questions About Iranian Cyber Operations
blogs_tenable·2025-06-27
Frequently Asked Questions About Iranian Cyber Operations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild
blogs_tenable·2025-05-14·CVSS 9.8
[CRITICAL] CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
blogs_tenable·2025-01-14·CVSS 9.8
[CRITICAL] CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
blogs_tenable·2024-11-19
Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
blogs_bleepingcomputer·2024-11-12·CVSS 10.0
[CRITICAL] FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
## FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
## Sergiu Gatlan
The FBI, the NSA, and Five Eyes cybersecurity authorities have released a list of the top 15 routinely exploited vulnerabilities throughout last year, most of them first abused as zero-days.
A joint advisory published on Tuesday calls for organizations worldwide to immediately patch these security flaws and deploy patch management systems to minimize their networks' exposure to potential attacks.
"In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets," the cybersecurity agencies warned .
"In 2023, the majority of the most frequently exploited vulnerabilities
Bleepingcomputer
Embargo ransomware escalates attacks to cloud environments
blogs_bleepingcomputer·2024-09-27·CVSS 9.8
[CRITICAL] Embargo ransomware escalates attacks to cloud environments
## Embargo ransomware escalates attacks to cloud environments
## Bill Toulas
## Storm-0501 attack flow
The attacker gains access to cloud environments by exploiting weak credentials and taking advantage of privileged accounts, with the goal of stealing data and executing a ransomware payload.
Microsoft explains that the Storm-0501 obtains initial access to the network with stolen or purchased credentials, or by exploiting known vulnerabilities.
Some of the flaws used in recent attacks are CVE-2022-47966 (Zoho ManageEngine), CVE-2023-4966 (Citrix NetScaler), and possibly CVE-2023-29300 or CVE-2023-38203 (ColdFusion 2016).
The adversary moves laterally using frameworks like Impacket and Cobalt Strike, steals data through a custom Rclone binary renamed to mimic a Windows tool, and disab
Microsoft
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
blogs_microsoft·2024-09-26·CVSS 9.8
CVE-2022-47966 [CRITICAL] Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Research
September 26, 2024
Storm-0501 previously achieved initial access through intrusions facilitated by access brokers like Storm-0249 and Storm-0900, leveraging possibly stolen compromised credentials to sign in to the target system, or exploiting various known remote code execution vulnerabilities in unpatched public-facing servers. In a recent campaign, Storm-0501 exploited known vulnerabilities in Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and ColdFusion 2016 application (possibly CVE-2023-29300 or CVE-2023-38203). In cases observed by Microsoft, these initial access techniques, combined with insufficient operational security practices by the targets, provided the threat actor with administrative privileges on the target device.
After gaining initial a
Checkpoint
11th September – Threat Intelligence Report
blogs_checkpoint·2023-09-11·CVSS 9.8
CVE-2022-47966 [CRITICAL] 11th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th September, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Check Point warns of a recent Email phishing campaign abusing the data visualization tool – Google Looker Studio. Attackers use the tool to send slideshow emails to victims from official Google accounts, instructing them to visit 3 rd party websites to collect cryptocurrency. The websites will then prompt the victims
Tenable
Cybersecurity Snapshot: Cyber Pros Taxed by Overwork, Understaffing and Lack of Support, as Stress Takes a Toll
blogs_tenable·2023-09-08
Cybersecurity Snapshot: Cyber Pros Taxed by Overwork, Understaffing and Lack of Support, as Stress Takes a Toll
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Iranian hackers breach US aviation org via ManageEngine, Fortinet bugs
blogs_bleepingcomputer·2023-09-07·CVSS 9.8
[CRITICAL] Iranian hackers breach US aviation org via ManageEngine, Fortinet bugs
## Iranian hackers breach US aviation org via ManageEngine, Fortinet bugs
## Sergiu Gatlan
Image: Midjourney
State-backed hacking groups have breached a U.S. aeronautical organization using exploits targeting critical Zoho ManageEngine and Fortinet vulnerabilities, a joint advisory published by CISA, the FBI, and the United States Cyber Command (USCYBERCOM) revealed on Thursday.
The threat groups behind this breach are yet to be named, but while the joint advisory didn't connect the attackers to a specific state, USCYBERCOM's press release links the malicious actors to Iranian exploitation efforts.
CISA was part of the incident response between February and April and said the hacking groups had been in the compromised aviation organization's network since at least January after hackin
Tenable
AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
blogs_tenable·2023-09-07·CVSS 9.8
[CRITICAL] AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Lazarus Group's infrastructure reuse leads to discovery of new malware
blogs_talos·2023-08-24·CVSS 9.8
CVE-2022-47966 [CRITICAL] Lazarus Group's infrastructure reuse leads to discovery of new malware
- In the Lazarus Group’s latest campaign, which we detailed in a recent blog, the North Korean state-sponsored actor is exploiting CVE-2022-47966, a ManageEngine ServiceDesk vulnerability to deploy multiple threats. In addition to their “QuiteRAT” malware, which we covered in the blog, we also discovered Lazarus Group using a new threat called “CollectionRAT.”
- CollectionRAT has standard remote access trojan (RAT) capabilities, including the ability to run arbitrary commands on an infected system. Based on our analysis, CollectionRAT appears to be connected to Jupiter/EarlyRAT, another malware family Kaspersky recently wrote about and attributed to Andariel, a subgroup within the Lazarus Group umbrella of threat actors.
- Lazarus Group appears to be changing its tactics, increasingly rely
Talos
Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT
blogs_talos·2023-08-24·CVSS 9.8
CVE-2022-47966 [CRITICAL] Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT
- Cisco Talos discovered the North Korean state-sponsored actor Lazarus Group targeting internet backbone infrastructure and healthcare entities in Europe and the United States. This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.
- In this campaign, the attackers began exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) five days after PoCs for the exploit were publicly disclosed to deliver and deploy a newer malware threat we track as “QuiteRAT.” Security researchers first discovered this implant in February, but little has been written on it since then.
- QuiteRAT has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its file size
Talos
Lazarus Group's infrastructure reuse leads to discovery of new malware
blogs_talos·2023-08-24·CVSS 9.8
CVE-2022-47966 [CRITICAL] Lazarus Group's infrastructure reuse leads to discovery of new malware
## Lazarus Group's infrastructure reuse leads to discovery of new malware
In the Lazarus Group’s latest campaign, which we detailed in a recent blog , the North Korean state-sponsored actor is exploiting CVE-2022-47966 , a ManageEngine ServiceDesk vulnerability to deploy multiple threats. In addition to their “QuiteRAT” malware, which we covered in the blog, we also discovered Lazarus Group using a new threat called “CollectionRAT.”
CollectionRAT has standard remote access trojan (RAT) capabilities, including the ability to run arbitrary commands on an infected system. Based on our analysis, CollectionRAT appears to be connected to Jupiter / EarlyRAT , another malware family Kaspersky recently wrote about and attributed to Andariel , a subgroup within the Lazarus Group umbrella of threat
Talos
Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT
blogs_talos·2023-08-24·CVSS 9.8
[CRITICAL] Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT
## Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT
Cisco Talos discovered the North Korean state-sponsored actor Lazarus Group targeting internet backbone infrastructure and healthcare entities in Europe and the United States. This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.
In this campaign, the attackers began exploiting a ManageEngine ServiceDesk vulnerability ( CVE-2022-47966 ) five days after PoCs for the exploit were publicly disclosed to deliver and deploy a newer malware threat we track as “QuiteRAT.” Security researchers first discovered this implant in February, but little has been written on it since then.
QuiteRAT has many of the same capabiliti
Sentinelone
CVE-2022-39952: Fortinet FortiNAC Remote Code Execution Vulnerability
blogs_sentinelone·2023-02-24·CVSS 9.8
CVE-2022-39952 [CRITICAL] CVE-2022-39952: Fortinet FortiNAC Remote Code Execution Vulnerability
Recently, a critical Remote Code Execution (RCE) vulnerability (CVE-2022-39952) was discovered in Fortinet’s FortiNAC product. This vulnerability could allow attackers to upload malicious payloads to the server, leading to a complete compromise of the affected system.
In this blog post, we will discuss the details of the CVE-2022-39952 vulnerability, the Fortinet FortiNAC product, and the vulnerable code that led to this RCE:
## About the CVE-2022-39952
The vulnerability is classified as a remote code execution (RCE) vulnerability with a CVSS score of 9.8 , which is considered critical .
This means that it has the potential to be exploited by attackers to gain complete control over an affected system.
The vulnerability is caused by a lack of authentication and validation in the ‘ /con
Sentinelone
CVE-2022-47966: Zoho ManageEngine Vulnerability
blogs_sentinelone·2023-02-24·CVSS 9.8
CVE-2022-47966 [CRITICAL] CVE-2022-47966: Zoho ManageEngine Vulnerability
In October 2022, a critical vulnerability was discovered in the SAML authentication feature of the software, which could allow an attacker to bypass authentication, gain unauthorized access, and execute arbitrary code on the affected system. The vulnerability has been assigned as CVE-2022-47966.
## SAML Information Flow
Before we dive into the technical details, let’s discuss what SAML is and how it works. SAML (Security Assertion Markup Language) is an XML-based protocol used for exchanging authentication and authorization data between parties, specifically between an identity provider (IdP) and a service provider (SP).
The SAML process involves three parties: the user, the SP, and the IdP.
First, the user requests access to a protected resource on the SP’s server.
The SP then reques
Sentinelone
CVE-2022-47966: Zoho ManageEngine Vulnerability
blogs_sentinelone·2023-02-24·CVSS 9.8
CVE-2022-47966 [CRITICAL] CVE-2022-47966: Zoho ManageEngine Vulnerability
In October 2022, a critical vulnerability was discovered in the SAML authentication feature of the software, which could allow an attacker to bypass authentication, gain unauthorized access, and execute arbitrary code on the affected system. The vulnerability has been assigned as CVE-2022-47966.
### SAML Information Flow
Before we dive into the technical details, let’s discuss what SAML is and how it works. SAML (Security Assertion Markup Language) is an XML-based protocol used for exchanging authentication and authorization data between parties, specifically between an identity provider (IdP) and a service provider (SP).
The SAML process involves three parties: the user, the SP, and the IdP.
First, the user requests access to a protected resource on the SP’s server.
The SP then reque
Checkpoint
23rd January – Threat Intelligence Report
blogs_checkpoint·2023-01-23·CVSS 9.8
CVE-2022-42475 [CRITICAL] 23rd January – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd January – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd January, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
The fast food brand ‘Yum! Brands’, operator of leading fast food restaurants including KFC, Pizza Hut and Taco Bell, has been targeted by a ransomware attack. The attack lead to the temporary closure of almost 300 breaches in the United Kingdom. No group has taken claim at this point.
Vice Society ransomware gang has claim
Greynoiseio
Battling Ransomware One Tag At A Time
blogs_greynoiseio
Battling Ransomware One Tag At A Time
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Wiz
CVE-2025-11669 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-11669 [CRITICAL] CVE-2025-11669 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11669 :
Zoho ManageEngine Access Manager Plus vulnerability analysis and mitigation
Zohocorp ManageEngine PAM360 versions before 8202; Password Manager Pro versions before 13221; Access Manager Plus versions prior to 4401 are vulnerable to an authorization issue in the initiate remote session functionality.
Source : NVD
## 8.1
Score
Published January 13, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Zoho ManageEngine Access Manager Plus
Zoho ManageEngine PAM360
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:zohocorp:manageengine_access_manager_plus
cpe:2.3:a:zohocorp:manageengin
Threat Intel
Storm-0501 (Storm-0501)
threat_intel·CVSS 9.8
[CRITICAL] Storm-0501 (Storm-0501)
# Threat Actor Profile: Storm-0501
ATT&CK ID: G1053
Also known as: Storm-0501
## Overview
Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.(Citation: Avertium Storm-0501 Sabbath Ransomware Arcane January 2022)(Citation: Microsoft Storm-501 Sabbath Ransomware Embargo September 2024)(Citation: Microsoft Storm-0501 Embargo Ransomware August 2025)(Citation: Google Mandiant Storm-0501 Sabbath Ransomware November 2021)
## Techniques (TTPs)
### Resource Development
- T1587.003 Digita
Greynoiseio
The Ninth Day Of Tagsmas (2023): Critical Vulnerabilities in ManageEngine Products Put Organizations at Risk (CVE-2022-28810 / CVE-2022-47966)
blogs_greynoiseio·CVSS 6.8
[MEDIUM] The Ninth Day Of Tagsmas (2023): Critical Vulnerabilities in ManageEngine Products Put Organizations at Risk (CVE-2022-28810 / CVE-2022-47966)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/170882/Zoho-ManageEngine-ServiceDesk-Plus-14003-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/170925/ManageEngine-ADSelfService-Plus-Unauthenticated-SAML-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/170943/Zoho-ManageEngine-Endpoint-Central-MSP-10.1.2228.10-Remote-Code-Execution.htmlhttps://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966/rapid7-analysishttps://blog.viettelcybersecurity.com/saml-show-stopper/https://github.com/apache/santuario-xml-security-java/tags?after=1.4.6https://github.com/horizon3ai/CVE-2022-47966https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250ahttps://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.htmlhttp://packetstormsecurity.com/files/170882/Zoho-ManageEngine-ServiceDesk-Plus-14003-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/170925/ManageEngine-ADSelfService-Plus-Unauthenticated-SAML-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/170943/Zoho-ManageEngine-Endpoint-Central-MSP-10.1.2228.10-Remote-Code-Execution.htmlhttps://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966/rapid7-analysishttps://blog.viettelcybersecurity.com/saml-show-stopper/https://github.com/apache/santuario-xml-security-java/tags?after=1.4.6https://github.com/horizon3ai/CVE-2022-47966https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250ahttps://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-47966
2023-01-18
Published
2023-01-23
Added to CISA KEV
Exploited in the wild