Remote code execution in multiple Zoho ManageEngine products



| Updated: 2023-02-08
Risk Critical
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-47966
CWE-ID CWE-20
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerable software
ManageEngine Access Manager Plus
Server applications / Directory software, identity management

Zoho ManageEngine Active Directory 360
Server applications / Directory software, identity management

Vulnerability Manager Plus
Server applications / Other server solutions

Patch Manager Plus
Server applications / Other server solutions

Password Manager Pro
Server applications / Other server solutions

PAM 360
Server applications / Other server solutions

Key Manager Plus
Server applications / Other server solutions

Endpoint DLP
Server applications / Other server solutions

Endpoint Central MSP
Server applications / Other server solutions

Endpoint Central
Server applications / Other server solutions

Device Control Plus
Server applications / Other server solutions

ManageEngine Browser Security Plus
Server applications / Other server solutions

ManageEngine Application Control Plus
Server applications / Other server solutions

ManageEngine Analytics Plus
Server applications / Other server solutions

Zoho ManageEngine ServiceDesk Plus MSP
Server applications / Other server solutions

Remote Monitoring and Management (RMM)
Server applications / Remote management servers, RDP, SSH

OS Deployer
Server applications / Remote management servers, RDP, SSH

Zoho ManageEngine ADAudit Plus
Server applications / Remote management servers, RDP, SSH

Zoho ManageEngine Remote Access Plus
Web applications / Remote management & hosting panels

ManageEngine AssetExplorer
Web applications / Remote management & hosting panels

Zoho ManageEngine ServiceDesk Plus
Web applications / Remote management & hosting panels

Zoho ManageEngine ADManager Plus
Client/Desktop applications / Software for system administration

Zoho ManageEngine ADSelfService Plus
Client/Desktop applications / Software for system administration

Zoho ManageEngine SupportCenter Plus
Server applications / Conferencing, Collaboration and VoIP solutions

Vendor ManageEngine
Zoho Corporation

Security Bulletin

This security bulletin contains one critical risk vulnerability.

1) Input validation error

EUVDB-ID: #VU71210

Risk: High

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2022-47966

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error in the Apache Santuario, which affects Zoho ManageEngine products, when SAML SSO is enabled. A remote non-authenticated attacker can bypass authentication process and compromise the affected system.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Install update from vendor's website.

Note, the vulnerability affects systems with configured SAML-based SSO.

Vulnerable software versions

ManageEngine Access Manager Plus: 4.1 4100 - 4.3 4307

Vulnerability Manager Plus: All versions

Remote Monitoring and Management (RMM): All versions

Zoho ManageEngine Remote Access Plus: All versions

Patch Manager Plus: All versions

Password Manager Pro: All versions

PAM 360: All versions

OS Deployer: All versions

Key Manager Plus: All versions

Endpoint DLP: All versions

Endpoint Central MSP: All versions

Endpoint Central: All versions

Device Control Plus: All versions

ManageEngine Browser Security Plus: All versions

ManageEngine Application Control Plus: All versions

ManageEngine Analytics Plus: All versions

Zoho ManageEngine ADManager Plus: All versions

Zoho ManageEngine Active Directory 360: All versions

ManageEngine AssetExplorer: All versions

Zoho ManageEngine ServiceDesk Plus MSP: All versions

Zoho ManageEngine SupportCenter Plus: All versions

Zoho ManageEngine ADAudit Plus: All versions

Zoho ManageEngine ADSelfService Plus: All versions

Zoho ManageEngine ServiceDesk Plus: All versions

CPE2.3 External links

https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



###SIDEBAR###