Remote code execution in multiple Zoho ManageEngine products
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2022-47966 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #1 is being exploited in the wild. |
| Vulnerable software |
ManageEngine Access Manager Plus Server applications / Directory software, identity management Zoho ManageEngine Active Directory 360 Server applications / Directory software, identity management Vulnerability Manager Plus Server applications / Other server solutions Patch Manager Plus Server applications / Other server solutions Password Manager Pro Server applications / Other server solutions PAM 360 Server applications / Other server solutions Key Manager Plus Server applications / Other server solutions Endpoint DLP Server applications / Other server solutions Endpoint Central MSP Server applications / Other server solutions Endpoint Central Server applications / Other server solutions Device Control Plus Server applications / Other server solutions ManageEngine Browser Security Plus Server applications / Other server solutions ManageEngine Application Control Plus Server applications / Other server solutions ManageEngine Analytics Plus Server applications / Other server solutions Zoho ManageEngine ServiceDesk Plus MSP Server applications / Other server solutions Remote Monitoring and Management (RMM) Server applications / Remote management servers, RDP, SSH OS Deployer Server applications / Remote management servers, RDP, SSH Zoho ManageEngine ADAudit Plus Server applications / Remote management servers, RDP, SSH Zoho ManageEngine Remote Access Plus Web applications / Remote management & hosting panels ManageEngine AssetExplorer Web applications / Remote management & hosting panels Zoho ManageEngine ServiceDesk Plus Web applications / Remote management & hosting panels Zoho ManageEngine ADManager Plus Client/Desktop applications / Software for system administration Zoho ManageEngine ADSelfService Plus Client/Desktop applications / Software for system administration Zoho ManageEngine SupportCenter Plus Server applications / Conferencing, Collaboration and VoIP solutions |
| Vendor |
ManageEngine Zoho Corporation |
Security Bulletin
This security bulletin contains one critical risk vulnerability.
1) Input validation error
EUVDB-ID: #VU71210
Risk: High
CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2022-47966
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to unspecified error in the Apache Santuario, which affects Zoho ManageEngine products, when SAML SSO is enabled. A remote non-authenticated attacker can bypass authentication process and compromise the affected system.
Note, the vulnerability is being actively exploited in the wild.
Install update from vendor's website.
Note, the vulnerability affects systems with configured SAML-based SSO.
Vulnerable software versionsManageEngine Access Manager Plus: 4.1 4100 - 4.3 4307
Vulnerability Manager Plus: All versions
Remote Monitoring and Management (RMM): All versions
Zoho ManageEngine Remote Access Plus: All versions
Patch Manager Plus: All versions
Password Manager Pro: All versions
PAM 360: All versions
OS Deployer: All versions
Key Manager Plus: All versions
Endpoint DLP: All versions
Endpoint Central MSP: All versions
Endpoint Central: All versions
Device Control Plus: All versions
ManageEngine Browser Security Plus: All versions
ManageEngine Application Control Plus: All versions
ManageEngine Analytics Plus: All versions
Zoho ManageEngine ADManager Plus: All versions
Zoho ManageEngine Active Directory 360: All versions
ManageEngine AssetExplorer: All versions
Zoho ManageEngine ServiceDesk Plus MSP: All versions
Zoho ManageEngine SupportCenter Plus: All versions
Zoho ManageEngine ADAudit Plus: All versions
Zoho ManageEngine ADSelfService Plus: All versions
Zoho ManageEngine ServiceDesk Plus: All versions
CPE2.3- cpe:2.3:a:manageengine:manageengine_access_manager_plus:4.1:4100:*:*:*:*:*:*
- cpe:2.3:a:manageengine:manageengine_access_manager_plus:4.1:4101:*:*:*:*:*:*
- cpe:2.3:a:manageengine:manageengine_access_manager_plus:4.2:4200:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:vulnerability_manager_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:remote_monitoring_and_management_rmm:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_remote_access_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:patch_manager_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:password_manager_pro:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:pam_360:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:os_deployer:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:key_manager_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:endpoint_dlp:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:endpoint_central_msp:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:endpoint_central:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:device_control_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_browser_security_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_application_control_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_admanager_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_active_directory_360:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_assetexplorer:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus_msp:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_supportcenter_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:adaudit_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_adselfservice_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:*:*:*:*:*:*:*:*
https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
