Cyber Resilience

CVE-2022-40770

HighRCE

Published: 23 November 2022

Published
23 November 2022
Modified
28 April 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6600 98.5th percentile
Risk Priority 54 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-40770 is a high-severity Command Injection (CWE-77) vulnerability in Zohocorp Manageengine Supportcenter Plus. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are affected by an authenticated command injection vulnerability tracked as CVE-2022-40770. The flaw carries a CVSS 3.1 score of 7.2 and is associated with CWE-77, enabling remote network-based attacks that require high privileges but no user interaction.

High-privileged authenticated users can exploit the issue to inject operating system commands, achieving full control over confidentiality, integrity, and availability on the affected instance. The attack surface is limited to users already holding administrative access within the application.

Official advisories and patch information are published by the vendor at manageengine.com and https://www.manageengine.com/products/service-desk/CVE-2022-40770.html. The EPSS score stands at 0.66 for both current and peak values.

EU & UK References

Vulnerability details

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zohocorp
manageengine servicedesk plus
13.0 · ≤ 13.0
zohocorp
manageengine servicedesk plus msp
10.6 · ≤ 10.6
zohocorp
manageengine supportcenter plus
11.0 · ≤ 11.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References