Remote Code Execution in Zoho ManageEngine Products
CVE-2022-47966
Key Information:
- Vendor
Zohocorp
- Vendor
- CVE Published:
- 18 January 2023
Badges
What is CVE-2022-47966?
Multiple on-premise products from Zoho ManageEngine are vulnerable to remote code execution due to a flaw in the Apache Santuario xmlsec library, specifically version 1.4.1. This vulnerability arises because ManageEngine applications fail to enforce necessary security measures, which expose them to potential exploitation. Successfully taking advantage of this vulnerability requires that SAML Single Sign-On (SSO) has been configured, and in certain instances, it must be active. Affected products include notable solutions such as ServiceDesk Plus and Endpoint Central, underscoring broad implications for organizations using these tools.
CISA has reported CVE-2022-47966
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2022-47966 as being exploited and is known by the CISA as enabling ransomware campaigns.
The CISA's recommendation is: Apply updates per vendor instructions.
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
94% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 💰
Used in Ransomware
- 👾
Exploit known to exist
- 🦅
CISA Reported
Vulnerability published
Vulnerability Reserved