Skip to main content

Zoho ManageEngine RCE Vulnerability CVE-2022-47966

Proof-of-concept expected to be released for a critical RCE vulnerability, which affects 24 Zoho ManageEngine Products

Threat ID:
CC-4245
Threat Severity:
High
Threat Vector:
Exploit
Published:
19 January 2023 11:22 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Proof-of-concept expected to be released for a critical RCE vulnerability, which affects 24 Zoho ManageEngine Products

The following platforms are also known to be affected:

  • Active Directory 360, Versions: 4309 and earlier
  • ADManager Plus, Versions: 7161 and earlier
  • Analytics Plus, Versions: 5140 and earlier
  • Application Control Plus, Versions: 10.1.2220.17 and earlier
  • Asset Explorer, Versions: 6982 and earlier
  • Browser Security Plus, Versions: 11.1.2238.5 and earlier
  • Device Control Plus, Versions: 10.1.2220.17 and earlier
  • Endpoint Central, Versions: 10.1.2228.10 and earlier
  • Endpoint Central MSP, Versions: 10.1.2228.10 and earlier
  • Endpoint DLP, Versions: 10.1.2137.5 and earlier
  • Key Manager Plus, Versions: 6400 and earlier
  • OS Deployer, Versions: 1.1.2243.0 and earlier
  • Patch Manager Plus, Versions: 10.1.2220.17 and earlier
  • Remote Access Plus, Versions: 10.1.2228.10 and earlier
  • Remote Monitoring and Management (RMM), Versions: 10.1.40 and earlier
  • Vulnerability Manager Plus, Versions: 10.1.2220.17 and earlier

Threat details

Introduction

In October 2022, Zoho ManageEngine released a security update to address a critical remote code execution (RCE) vulnerability affecting 24 of their products. The vulnerability CVE-2022-47966 relates to the usage of an outdated third-party dependency, Apache Santuario. This vulnerability is only applicable to products on which SAML SSO has been enabled at any point in the ManageEngine setup.

This vulnerability could allow an unauthenticated, remote attacker to execute code with SYSTEM level privileges and take control of an affected system. A proof-of-concept (PoC) is expected to be released and previous vulnerabilities in ManageEngine products have been targeted as an attack vector.

CISA adds CVE-2022-47966 to Known Exploited Vulnerability Catalog

CISA has added CVE-2022-47966 to the Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CISA, FBI and CNMF have identified IOCs related to the exploitation of CVE-2022-47966

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023. Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus)

Threat updates

Date Update
8 Sep 2023 CISA, FBI and CNMF have identified IOCs related to the exploitation of CVE-2022-47966

This cyber alert has been updated to reflect this change.
24 Jan 2023 CISA adds CVE-2022-47966 to Known Exploited Vulnerability Catalog

This article has been updated to reflect the status of exploitation. 

Remediation advice

Affected organisations must review ManageEngine's critical severity "Security advisory for remote code execution vulnerability in multiple ManageEngine products" CVE-2022-47966 and apply relevant security updates.

Last edited: 8 September 2023 2:26 pm