CVE-2022-47966 — CRITICAL (9.8)

Q: How severe is CVE-2022-47966?

CVE-2022-47966 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2022-47966?

Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Access Manager Plus, Zohocorp Manageengine Ad360, Zohocorp Manageengine Adaudit Plus, Zohocorp Manageengine Admanager Plus, Zohocorp Manageengine Adselfservice Plus.

Vulnerability Description

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Zohocorp	Manageengine Access Manager Plus	< 4.3
Zohocorp	Manageengine Ad360	< 4.3
Zohocorp	Manageengine Adaudit Plus	< 7.0
Zohocorp	Manageengine Admanager Plus	< 7.1
Zohocorp	Manageengine Adselfservice Plus	< 6.2
Zohocorp	Manageengine Analytics Plus	< 5.1
Zohocorp	Manageengine Assetexplorer	< 6.9
Zohocorp	Manageengine Key Manager Plus	< 6.4
Zohocorp	Manageengine Pam360	< 5.7
Zohocorp	Manageengine Password Manager Pro	< 12.1
Zohocorp	Manageengine Servicedesk Plus	< 14.0
Zohocorp	Manageengine Servicedesk Plus Msp	< 13.0
Zohocorp	Manageengine Supportcenter Plus	11.0
Zohocorp	Manageengine Application Control Plus	< 10.1.2220.18
Zohocorp	Manageengine Browser Security Plus	< 11.1.2238.6
Zohocorp	Manageengine Device Control Plus	< 10.1.2220.18
Zohocorp	Manageengine Endpoint Dlp Plus	< 10.1.2137.6
Zohocorp	Manageengine Os Deployer	< 1.1.2243.1
Zohocorp	Manageengine Patch Manager Plus	< 10.1.2220.18
Zohocorp	Manageengine Remote Access Plus	< 10.1.2228.11

Related Weaknesses (CWE)

CWE-20

References

http://packetstormsecurity.com/files/170882/Zoho-ManageEngine-ServiceDesk-Plus-1ExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/170925/ManageEngine-ADSelfService-Plus-UnauExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/170943/Zoho-ManageEngine-Endpoint-Central-MExploitThird Party AdvisoryVDB Entry
https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966/rapid7-analysisExploitThird Party Advisory
https://blog.viettelcybersecurity.com/saml-show-stopper/ExploitThird Party Advisory
https://github.com/apache/santuario-xml-security-java/tags?after=1.4.6Release Notes
https://github.com/horizon3ai/CVE-2022-47966Third Party Advisory
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250aThird Party AdvisoryUS Government Resource
https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/ExploitThird Party Advisory
https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.htmlPatchVendor Advisory
http://packetstormsecurity.com/files/170882/Zoho-ManageEngine-ServiceDesk-Plus-1ExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/170925/ManageEngine-ADSelfService-Plus-UnauExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/170943/Zoho-ManageEngine-Endpoint-Central-MExploitThird Party AdvisoryVDB Entry
https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966/rapid7-analysisExploitThird Party Advisory
https://blog.viettelcybersecurity.com/saml-show-stopper/ExploitThird Party Advisory

FAQ

What is CVE-2022-47966?

CVE-2022-47966 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the...

How severe is CVE-2022-47966?

CVE-2022-47966 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-47966?

Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Access Manager Plus, Zohocorp Manageengine Ad360, Zohocorp Manageengine Adaudit Plus, Zohocorp Manageengine Admanager Plus, Zohocorp Manageengine Adselfservice Plus.