Zoho ManageEngine RCE Vulnerability CVE-2022-47966
Proof-of-concept expected to be released for a critical RCE vulnerability, which affects 24 Zoho ManageEngine Products
Summary
Proof-of-concept expected to be released for a critical RCE vulnerability, which affects 24 Zoho ManageEngine Products
Affected platforms
The following platforms are known to be affected:
The following platforms are also known to be affected:
- Active Directory 360, Versions: 4309 and earlier
- ADManager Plus, Versions: 7161 and earlier
- Analytics Plus, Versions: 5140 and earlier
- Application Control Plus, Versions: 10.1.2220.17 and earlier
- Asset Explorer, Versions: 6982 and earlier
- Browser Security Plus, Versions: 11.1.2238.5 and earlier
- Device Control Plus, Versions: 10.1.2220.17 and earlier
- Endpoint Central, Versions: 10.1.2228.10 and earlier
- Endpoint Central MSP, Versions: 10.1.2228.10 and earlier
- Endpoint DLP, Versions: 10.1.2137.5 and earlier
- Key Manager Plus, Versions: 6400 and earlier
- OS Deployer, Versions: 1.1.2243.0 and earlier
- Patch Manager Plus, Versions: 10.1.2220.17 and earlier
- Remote Access Plus, Versions: 10.1.2228.10 and earlier
- Remote Monitoring and Management (RMM), Versions: 10.1.40 and earlier
- Vulnerability Manager Plus, Versions: 10.1.2220.17 and earlier
Threat details
Introduction
In October 2022, Zoho ManageEngine released a security update to address a critical remote code execution (RCE) vulnerability affecting 24 of their products. The vulnerability CVE-2022-47966 relates to the usage of an outdated third-party dependency, Apache Santuario. This vulnerability is only applicable to products on which SAML SSO has been enabled at any point in the ManageEngine setup.
This vulnerability could allow an unauthenticated, remote attacker to execute code with SYSTEM level privileges and take control of an affected system. A proof-of-concept (PoC) is expected to be released and previous vulnerabilities in ManageEngine products have been targeted as an attack vector.
CISA adds CVE-2022-47966 to Known Exploited Vulnerability Catalog
CISA has added CVE-2022-47966 to the Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CISA, FBI and CNMF have identified IOCs related to the exploitation of CVE-2022-47966
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023. Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus)
Threat updates
| Date | Update |
|---|---|
| 8 Sep 2023 |
CISA, FBI and CNMF have identified IOCs related to the exploitation of CVE-2022-47966
This cyber alert has been updated to reflect this change. |
| 24 Jan 2023 |
CISA adds CVE-2022-47966 to Known Exploited Vulnerability Catalog
This article has been updated to reflect the status of exploitation. |
Remediation advice
Affected organisations must review ManageEngine's critical severity "Security advisory for remote code execution vulnerability in multiple ManageEngine products" CVE-2022-47966 and apply relevant security updates.
Definitive source of threat updates
Last edited: 8 September 2023 2:26 pm