CVE-2022-40770
Published: 23 November 2022
Summary
CVE-2022-40770 is a high-severity Command Injection (CWE-77) vulnerability in Zohocorp Manageengine Supportcenter Plus. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are affected by an authenticated command injection vulnerability tracked as CVE-2022-40770. The flaw carries a CVSS 3.1 score of 7.2 and is associated with CWE-77, enabling remote network-based attacks that require high privileges but no user interaction.
High-privileged authenticated users can exploit the issue to inject operating system commands, achieving full control over confidentiality, integrity, and availability on the affected instance. The attack surface is limited to users already holding administrative access within the application.
Official advisories and patch information are published by the vendor at manageengine.com and https://www.manageengine.com/products/service-desk/CVE-2022-40770.html. The EPSS score stands at 0.66 for both current and peak values.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-44036
Vulnerability details
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.