Description Preview
Multiple Zoho ManageEngine on-premise products, including ServiceDesk Plus and others, are affected by a critical vulnerability that enables remote code execution. This vulnerability arises from the use of Apache Santuario xmlsec (XML Security for Java) version 1.4.1, which does not provide adequate security protections by design. The exploitation of this vulnerability is contingent upon the configuration of SAML Single Sign-On (SSO) for the affected products, with some requiring that SAML SSO is currently active. The vulnerability impacts a wide range of ManageEngine applications, making it imperative for users to address this issue promptly.
Overview
CVE-2022-47966 affects several versions of Zoho ManageEngine products, including but not limited to:
- ServiceDesk Plus
- Access Manager Plus
- Active Directory 360
- ADAudit Plus
- ADManager Plus
- ADSelfService Plus
- Analytics Plus
- Application Control Plus
- Asset Explorer
- Browser Security Plus
- Device Control Plus
- Endpoint Central
- Key Manager Plus
- OS Deployer
- PAM 360
- Password Manager Pro
- Patch Manager Plus
- Remote Access Plus
- Remote Monitoring and Management (RMM)
- SupportCenter Plus
- Vulnerability Manager Plus
The vulnerability is classified as critical with a CVSS score of 9.8, indicating a high potential for exploitation. It allows attackers to execute arbitrary code remotely, which could lead to significant data breaches and system compromises.
Remediation
To mitigate the risks associated with CVE-2022-47966, users of the affected ManageEngine products should:
- Update Software: Immediately upgrade to the latest versions of the affected products as specified by Zoho ManageEngine. Ensure that all patches addressing this vulnerability are applied.
- Disable SAML SSO: If SAML SSO is not required, consider disabling it to reduce the attack surface.
- Monitor Systems: Implement monitoring for any unusual activities or unauthorized access attempts on the affected systems.
- Review Security Configurations: Ensure that security configurations are in place to protect against similar vulnerabilities in the future.
References
- Apache Santuario XML Security for Java - Tags
- ManageEngine Security Advisory for CVE-2022-47966
- Packet Storm Security - ServiceDesk Plus Remote Code Execution
- Packet Storm Security - ADSelfService Plus Unauthenticated SAML Remote Code Execution
- Packet Storm Security - Endpoint Central MSP Remote Code Execution
- Viettel Cybersecurity Blog - SAML Show Stopper
- Horizon3 AI - CVE-2022-47966 Technical Deep Dive
- CISA Cybersecurity Advisories
- AttackerKB - CVE-2022-47966 Analysis
Early Warning
Customers using Armis Early Warning were notified about this vulnerability before it appeared in CISA's Known Exploited Vulnerabilities Catalog, enabling them to assess their exposure and act proactively. Armis offers these examples of CVEs already included in CISA KEV for potential customers. Click here to learn how to receive alerts earlier.
- Armis Alert Date
- Jan 18, 2023
- CISA KEV Date
- Jan 23, 2023
5days early
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- ManufacturingManufacturing: Low
- Public AdministrationPublic Administration: Low
- Health Care & Social AssistanceHealth Care & Social Assistance: Low
- Arts, Entertainment & RecreationArts, Entertainment & Recreation: Low
- Educational ServicesEducational Services: Low
- Management of Companies & EnterprisesManagement of Companies & Enterprises: Low
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services: Low
- Accommodation & Food ServicesAccommodation & Food Services: Low
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services: Low
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting: Low
- ConstructionConstruction: Low
- Finance and InsuranceFinance and Insurance: Low
- InformationInformation: Low
- MiningMining: Low
- Other Services (except Public Administration)Other Services (except Public Administration): Low
- Real Estate Rental & LeasingReal Estate Rental & Leasing: Low
- Retail TradeRetail Trade: Low
- Transportation & WarehousingTransportation & Warehousing: Low
- UtilitiesUtilities: Low
- Wholesale TradeWholesale Trade: Low
