CVE-2022-47966:
CVE-2022-47966 is a remote code execution vulnerability in multiple Zoho ManageEngine on‑premise products caused by insecure XML signature processing in Apache Santuario xmlsec 1.4.1. Exploitation requires SAML SSO to be configured (and in some cases active), enabling an attacker to execute code remotely with high impact across a wide range of ManageEngine products.
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.8Critical- Published Date:Jan 18, 2023
- CISA KEV Date:Jan 23, 2023
- Industries Affected:20
5 DaysThreat Predictions
- EPSS Score:94.4
- EPSS Percentile:100%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
CVE-2022-47966 is a remote code execution vulnerability in multiple Zoho ManageEngine on‑premise products caused by insecure XML signature processing in Apache Santuario xmlsec 1.4.1. Exploitation requires SAML SSO to be configured (and in some cases active), enabling an attacker to execute code remotely with high impact across a wide range of ManageEngine products.
Overview
This CVE describes a critical remote code execution flaw in numerous ManageEngine on‑premise products due to the xmlsec 1.4.1 library's XSLT handling, where the application was expected to compensate for security protections that were not provided. The vulnerability is triggered via SAML SSO configurations in affected deployments and can lead to complete system compromise without user interaction, underscoring the need for urgent patching and mitigations across all impacted products.
Remediation
- Apply vendor-published fixes: Upgrade each affected ManageEngine product to the patched version released by the vendor (e.g., ServiceDesk Plus to 14004 or newer; ServiceDesk Plus MSP to 13001 or newer; Endpoint Central to 10.1.2228.11 or newer; Endpoint Central MSP to 10.1.2228.11 or newer; Endpoint DLP to 10.1.2137.6 or newer; and other products to their listed fixed releases as indicated by ManageEngine advisories).
- If upgrading is not immediately possible:
- Disable SAML SSO or restrict it to trusted networks/conditions, and enable additional authentication controls if feasible.
- Implement network-level mitigations (e.g., WAF rules, IP allowlists, and strict access controls) around authentication endpoints.
- Rotate or re‑issue SAML signing certificates/keys and review SAML configurations for anomalies.
- Monitor and alert for suspicious SAML authentication events and unusual XML/SAML payloads.
- Ensure compensating security controls are in place (least privilege access, asset inventory, and rapid incident response readiness).
- Update the underlying xmlsec/library stack where possible to a patched version delivered by the vendor, and verify that all mitigations align with the vendor advisory.
- After patching, revalidate SAML SSO configurations and perform security testing to confirm the vulnerability is mitigated.
References
- - https://github.com/apache/santuario-xml-security-java/tags?after=1.4.6
- - https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html
- - http://packetstormsecurity.com/files/170882/Zoho-ManageEngine-ServiceDesk-Plus-14003-Remote-Code-Execution.html
- - http://packetstormsecurity.com/files/170925/ManageEngine-ADSelfService-Plus-Unauthenticated-SAML-Remote-Code-Execution.html
- - http://packetstormsecurity.com/files/170943/Zoho-ManageEngine-Endpoint-Central-MSP-10.1.2228.10-Remote-Code-Execution.html
- - https://blog.viettelcybersecurity.com/saml-show-stopper/
- - https://github.com/horizon3ai/CVE-2022-47966
- - https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/
- - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a
- - https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966/rapid7-analysis
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:Jan 19, 2023
- CISA KEV Date:Jan 23, 2023
- Days Early:5 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
