Remote code execution in multiple Zoho ManageEngine products

Published: 2023-01-17 | Updated: 2023-02-08

Risk	Critical
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2022-47966
CWE-ID	CWE-20
Exploitation vector	Network
Public exploit	Vulnerability #1 is being exploited in the wild.
Vulnerable software Subscribe	ManageEngine Access Manager Plus Server applications / Directory software, identity management Zoho ManageEngine Active Directory 360 Server applications / Directory software, identity management Vulnerability Manager Plus Server applications / Other server solutions Patch Manager Plus Server applications / Other server solutions Password Manager Pro Server applications / Other server solutions PAM 360 Server applications / Other server solutions Key Manager Plus Server applications / Other server solutions Endpoint DLP Server applications / Other server solutions Endpoint Central MSP Server applications / Other server solutions Endpoint Central Server applications / Other server solutions Device Control Plus Server applications / Other server solutions ManageEngine Browser Security Plus Server applications / Other server solutions ManageEngine Application Control Plus Server applications / Other server solutions ManageEngine Analytics Plus Server applications / Other server solutions Zoho ManageEngine ServiceDesk Plus MSP Server applications / Other server solutions Remote Monitoring and Management (RMM) Server applications / Remote management servers, RDP, SSH OS Deployer Server applications / Remote management servers, RDP, SSH Zoho ManageEngine ADAudit Plus Server applications / Remote management servers, RDP, SSH Zoho ManageEngine Remote Access Plus Web applications / Remote management & hosting panels ManageEngine AssetExplorer Web applications / Remote management & hosting panels Zoho ManageEngine ServiceDesk Plus Web applications / Remote management & hosting panels Zoho ManageEngine ADManager Plus Client/Desktop applications / Software for system administration Zoho ManageEngine ADSelfService Plus Client/Desktop applications / Software for system administration Zoho ManageEngine SupportCenter Plus Server applications / Conferencing, Collaboration and VoIP solutions
Vendor	ManageEngine Zoho Corporation

Security Bulletin

This security bulletin contains one critical risk vulnerability.

1) Input validation error

EUVDB-ID: #VU71210

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-47966

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error in the Apache Santuario, which affects Zoho ManageEngine products, when SAML SSO is enabled. A remote non-authenticated attacker can bypass authentication process and compromise the affected system.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Install update from vendor's website.

Note, the vulnerability affects systems with configured SAML-based SSO.

Vulnerable software versions

ManageEngine Access Manager Plus: 4.1 4100 - 4.3 4307

Vulnerability Manager Plus: before 10.1.2220.18

Remote Monitoring and Management (RMM): before 10.1.41

Zoho ManageEngine Remote Access Plus: before 10.1.2228.11

Patch Manager Plus: before 10.1.2220.18

Password Manager Pro: before 12124

PAM 360: before 5713

OS Deployer: before 1.1.2243.1

Key Manager Plus: before 6401

Endpoint DLP: before 10.1.2137.6

Endpoint Central MSP: before 10.1.2228.11

Endpoint Central: before 10.1.2228.11

Device Control Plus: before 10.1.2220.18

ManageEngine Browser Security Plus: before 11.1.2238.6

ManageEngine Application Control Plus: before 10.1.2220.18

ManageEngine Analytics Plus: before 5150

Zoho ManageEngine ADManager Plus: before 7162

Zoho ManageEngine Active Directory 360: before 4310

ManageEngine AssetExplorer: before 6983

Zoho ManageEngine ServiceDesk Plus MSP: before 13001

Zoho ManageEngine SupportCenter Plus: before 11026

Zoho ManageEngine ADAudit Plus: before 7081

Zoho ManageEngine ADSelfService Plus: before 6211

Zoho ManageEngine ServiceDesk Plus: before 14.0 14004

CPE2.3

cpe:2.3:a:manageengine:manageengine_access_manager_plus:4.3:4307:*:*:*:*:*:*

External links

http://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?