February 11, 2023 HAWKEYE

ManageEngine RCE Vulnerability (CVE-2022-47966)

A remote code execution vulnerability (CVE-2022-47966) impacting a number of Zoho ManageEngine on-premise products with SAML SSO enabled has been actively exploited, according to Rapid7.


Deepwatch has also noticed activities that might point to exploitation attempts. A cybercriminal can take advantage of a SAML-enabled organization’s vulnerability by sending a specially prepared SAML response that enables remote code execution. A proof-of-concept exploit code released by Horizon3 will most likely be modified by threat actors and used by them to attempt manual and automated scanning and exploitation in order to acquire initial access to targeted victims.

A security advisory for CVE-2022-47966, which was found by Khoadha of Viettel Cyber Security and affected a number of products, was published by ManageEngine on January 10, 2023. An HTTP POST request containing a fraudulent SAML answer can be used by an attacker to acquire remote code execution. Due to the use of an obsolete version of Apache Santuario for XML signature validation, this vulnerability exists.

CVE-2022-47966 Analysis

A researcher at Viettel Cyber Security discovered CVE-2022-47966, an unauthenticated remote code execution flaw, in twenty ManageEngine products, including Access Manager Plus, ADSelfService Plus, Endpoint DLP, Password Manager Pro, PAM360, ServiceDesk Plus, and others.

An obsolete version of the Apache Santuario library, which implements security requirements for XML, was the cause of the vulnerability. A SAML request with an incorrect signature can be used to exploit the issue if SAML single sign-on is currently or has previously been enabled on those products.

By updating the third-party module to the most recent version, this problem has been resolved, according to ManageEngine. In October and November 2022, the company produced repaired versions of each product, and ideally, the majority of businesses have already upgraded their installations.


The vulnerability, CVE-2022-47966, was discovered on December 26. Its description reads, “Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to the use of Apache xmlsec (aka XML Security for Java) 1.4.1 because the ManageEngine applications did not provide those protections.”

The vulnerability was described as a “pre-authentication remote code execution vulnerability” in the “ManageEngine CVE-2022-47966 IOCs” blog post by Horizon3 that was published in mid-January. If SAML single-sign-on is enabled or has ever been enabled, this vulnerability may be exploited depending on the individual ManageEngine product.

Since SAML is now active, more than 1,000 ManageEngine products are probably exposed to the internet, according to Horizon3’s initial blog post about the issue. There are 8,360 exposed instances of the ServiceDesk Plus and Endpoint Central products, 854 of which now support SAML, according to Horizon3’s scan of Shodan. Horizon3 bases its assumption on this 10% or so of all ManageEngine products that are accessible through the internet have SAML enabled. Additionally, Horizon3 makes the assumption that SAML-using firms tend to be bigger and more established, making them more likely to be valuable targets for threat actors.


The Horizon3 PoC exploit code will probably be modified by threat actors, who will then utilize it to attempt manual and automated scanning and exploitation in order to get initial access to victims. Organizations with internet-exposed susceptible ManageEngine on-premise products that have SAML enabled (or ever had it enabled) are very likely to be attacked due to the low number of exposed systems and the likely use of human and automated exploitation attempts.

The deployment of malware families like Cobalt Strike, cryptominers, and others has been caused by the active exploitation of software vulnerabilities, which has resulted in data exfiltration and encryption for extortion. Although security teams make an attempt to patch and secure systems, it is difficult to prevent or effectively remediate these types of incidents due to the speed and intelligence of threat actors.

Affected Products

Product Affected Versions Fixed Versions
Only vulnerable if SAML-based SSO has been set up and is in use by your company.
Access Manager Plus 4307 and below 4308
Analytics Plus 5140 and below 5150
Application Control Plus 10.1.2220.17 and below 10.1.2220.18
Browser Security Plus 11.1.2238.5 and below 11.1.2238.6
Device Control Plus 10.1.2220.17 and below 10.1.2220.18
Endpoint Central 10.1.2228.10 and below 10.1.2228.11
Endpoint Central MSP 10.1.2228.10 and below 10.1.2228.11
Endpoint DLP 10.1.2137.5 and below 10.1.2137.6
Key Manager Plus 6400 and below 6401
OS Deployer 1.1.2243.0 and below 1.1.2243.1
PAM 360 5712 and below 5713
Password Manager Pro 12123 and below 12124
Patch Manager Plus 10.1.2220.17 and below 10.1.2220.18
Remote Access Plus 10.1.2228.10 and below 10.1.2228.11
Remote Monitoring and Management (RMM) 10.1.40 and below 10.1.41
Vulnerability Manager Plus 10.1.2220.17 and below 10.1.2220.18


  • Beginning in late October 2022, Zoho patched the insecure ManageEngine products by updating the outdated dependency. Patching vulnerable products is strongly advised in order to stop attacks.
  • Exploitable services are exposed by assets on the open internet. Where these services must be made available, make sure that the proper compensatory restrictions are in place to stop common abuse and exploitation.
  • Examine systems for signs of exploitation.
, ,


We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.