Skip to main content
Creating a new NHS England: NHS England and NHS Digital merged on 1 February 2023. More about the merger.

Zoho ManageEngine RCE Vulnerability CVE-2022-47966

Proof-of-concept expected to be released for a critical RCE vulnerability, which affects 24 Zoho ManageEngine Products

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

Proof-of-concept expected to be released for a critical RCE vulnerability, which affects 24 Zoho ManageEngine Products


The following platforms are also known to be affected:

  • Active Directory 360, Versions: 4309 and earlier
  • ADManager Plus, Versions: 7161 and earlier
  • Analytics Plus, Versions: 5140 and earlier
  • Application Control Plus, Versions: 10.1.2220.17 and earlier
  • Asset Explorer, Versions: 6982 and earlier
  • Browser Security Plus, Versions: 11.1.2238.5 and earlier
  • Device Control Plus, Versions: 10.1.2220.17 and earlier
  • Endpoint Central, Versions: 10.1.2228.10 and earlier
  • Endpoint Central MSP, Versions: 10.1.2228.10 and earlier
  • Endpoint DLP, Versions: 10.1.2137.5 and earlier
  • Key Manager Plus, Versions: 6400 and earlier
  • OS Deployer, Versions: 1.1.2243.0 and earlier
  • Patch Manager Plus, Versions: 10.1.2220.17 and earlier
  • Remote Access Plus, Versions: 10.1.2228.10 and earlier
  • Remote Monitoring and Management (RMM), Versions: 10.1.40 and earlier
  • Vulnerability Manager Plus, Versions: 10.1.2220.17 and earlier

Threat details

Introduction

In October 2022, Zoho ManageEngine released a security update to address a critical remote code execution (RCE) vulnerability affecting 24 of their products. The vulnerability CVE-2022-47966 relates to the usage of an outdated third-party dependency, Apache Santuario. This vulnerability is only applicable to products on which SAML SSO has been enabled at any point in the ManageEngine setup.

This vulnerability could allow an unauthenticated, remote attacker to execute code with SYSTEM level privileges and take control of an affected system. A proof-of-concept (PoC) is expected to be released and previous vulnerabilities in ManageEngine products have been targeted as an attack vector.

CISA adds CVE-2022-47966 to Known Exploited Vulnerability Catalog

CISA has added CVE-2022-47966 to the Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.


Threat updates

Date Update
24 Jan 2023 CISA adds CVE-2022-47966 to Known Exploited Vulnerability Catalog

This article has been updated to reflect the status of exploitation. 


Remediation advice

Affected organisations must review ManageEngine's critical severity "Security advisory for remote code execution vulnerability in multiple ManageEngine products" CVE-2022-47966 and apply relevant security updates.



Last edited: 24 January 2023 2:09 pm