CVE-2022-47966
Published: 18 January 2023
Summary
CVE-2022-47966 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Zohocorp Manageengine Assetexplorer. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Multiple Zoho ManageEngine on-premise products are affected by CVE-2022-47966, a remote code execution vulnerability stemming from the use of Apache Santuario xmlsec version 1.4.1. The products include ServiceDesk Plus through 14003, Access Manager Plus before 4308, ADAudit Plus before 7081, Endpoint Central before 10.1.2228.11, and numerous others such as Password Manager Pro, PAM 360, and Vulnerability Manager Plus. The issue arises because xmlsec's XSLT features place security responsibilities on the application, which the ManageEngine products did not implement, and exploitation requires that SAML SSO has been configured for the product.
Unauthenticated remote attackers can exploit the flaw over the network when SAML SSO is active or has been previously enabled, achieving full remote code execution with impacts to confidentiality, integrity, and availability. The vulnerability carries a CVSS 3.1 score of 9.8 and is associated with CWE-20 input validation weaknesses, allowing arbitrary code execution without requiring user interaction or credentials.
Public references include exploit code and technical analyses on Packet Storm and sites such as AttackerKB and Viettel Cybersecurity, confirming active interest in the issue. The EPSS score has reached a peak of 0.9752 with a current value of 0.9438.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-50684
Vulnerability details
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the…
more
application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).
- CWE(s)
- KEV Date Added
- 23 January 2023
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that close the xmlsec 1.4.1 SAML RCE flaw in every listed ManageEngine product.
Mandates validation and sanitization of all SAML assertions and embedded XSLT content before processing, exactly the protection the products omitted.
Requires disabling or restricting non-essential SAML SSO functionality when not required, eliminating the code path that triggers the unauthenticated RCE.