Cyber Resilience

CVE-2022-47966

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 18 January 2023

Published
18 January 2023
Modified
31 October 2025
KEV Added
23 January 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9438 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-47966 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Zohocorp Manageengine Assetexplorer. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Multiple Zoho ManageEngine on-premise products are affected by CVE-2022-47966, a remote code execution vulnerability stemming from the use of Apache Santuario xmlsec version 1.4.1. The products include ServiceDesk Plus through 14003, Access Manager Plus before 4308, ADAudit Plus before 7081, Endpoint Central before 10.1.2228.11, and numerous others such as Password Manager Pro, PAM 360, and Vulnerability Manager Plus. The issue arises because xmlsec's XSLT features place security responsibilities on the application, which the ManageEngine products did not implement, and exploitation requires that SAML SSO has been configured for the product.

Unauthenticated remote attackers can exploit the flaw over the network when SAML SSO is active or has been previously enabled, achieving full remote code execution with impacts to confidentiality, integrity, and availability. The vulnerability carries a CVSS 3.1 score of 9.8 and is associated with CWE-20 input validation weaknesses, allowing arbitrary code execution without requiring user interaction or credentials.

Public references include exploit code and technical analyses on Packet Storm and sites such as AttackerKB and Viettel Cybersecurity, confirming active interest in the issue. The EPSS score has reached a peak of 0.9752 with a current value of 0.9438.

EU & UK References

Vulnerability details

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the…

more

application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).

CWE(s)
KEV Date Added
23 January 2023

Related Threats

Threat-Actor AttributionAI

Cl0paka Clop
Cl0p ransomware operators mass-exploited CVE-2022-47966 in ManageEngine ServiceDesk Plus (CISA AA23-250A, Mandiant/Mandiant threat intel, Sep 2023).

Affected Assets

zohocorp
manageengine access manager plus
4.3 · ≤ 4.3
zohocorp
manageengine ad360
4.3 · ≤ 4.3
zohocorp
manageengine adaudit plus
7.0 · ≤ 7.0
zohocorp
manageengine admanager plus
7.1 · ≤ 7.1
zohocorp
manageengine adselfservice plus
6.2 · ≤ 6.2
zohocorp
manageengine analytics plus
5.1 · ≤ 5.1
zohocorp
manageengine assetexplorer
6.9 · ≤ 6.9
zohocorp
manageengine key manager plus
6.4 · ≤ 6.4
zohocorp
manageengine pam360
5.7 · ≤ 5.7
zohocorp
manageengine password manager pro
12.1 · ≤ 12.1
+12 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that close the xmlsec 1.4.1 SAML RCE flaw in every listed ManageEngine product.

prevent

Mandates validation and sanitization of all SAML assertions and embedded XSLT content before processing, exactly the protection the products omitted.

prevent

Requires disabling or restricting non-essential SAML SSO functionality when not required, eliminating the code path that triggers the unauthenticated RCE.

References