SOCRadar® Cyber Intelligence Inc. | What Do You Need to Know About the Critical RCE Vulnerability in Zoho’s ManageEngine? (CVE-2022-47966)
Home

Resources

Blog
Jan 17, 2023
3 Mins Read

What Do You Need to Know About the Critical RCE Vulnerability in Zoho’s ManageEngine? (CVE-2022-47966)

CVE-2022-47966, a critical vulnerability in a number of Zoho’s products, allows remote code execution without authentication. The use of a vulnerable third-party dependency called Apache Santuario is the root cause that enables the exploitation of the remote code execution vulnerability.

Every ManageEngine server that has at least once enabled SAML-based single-sign-on (SSO) is vulnerable to exploitation, whether it is active at the time of the attack or not.

An attacker could gain full control of the system by exploiting the CVE-2022-47966 vulnerability, which could enable an attacker to execute arbitrary code as NT AUTHORITYSYSTEM, a local account with very high privileges.

According to researchers, the vulnerability is simple to exploit and a good fit for spray and pray attacks. An attacker with System level access could dump credentials with LSASS (Local Security Authority Server Service) or choose to use other tools to obtain the credentials stored on the application, in order to move laterally.

Products Impacted by CVE-2022-47966

CVE-2022-47966 impacts all versions listed below and earlier. (*Exception)

Product

Version

Access Manager Plus

4307

Active Directory 360

4309

ADAudit Plus

7080

ADManager Plus

7161

ADSelfService Plus

6210

Analytics Plus

5140

Application Control Plus 
Patch Manager Plus 
Vulnerability Manager Plus 
Device Control Plus

10.1.2220.17

Asset Explorer

6982

Browser Security Plus

11.1.2238.5

Endpoint Central 
Endpoint Central MSP 
Remote Access Plus

10.1.2228.10

Endpoint DLP

10.1.2137.5

Key Manager Plus

6400

OS Deployer

1.1.2243.0

PAM 360

5712

Password Manager Pro

12123

Remote Monitoring and Management

10.1.40

ServiceDesk Plus

14003

ServiceDesk Plus MSP

13000

SupportCenter Plus

11017 to 11025*

Is There a Proof-of-Concept for CVE-2022-47966?

Horizon3 has a proof-of-concept (PoC) exploit code that will be released this week; it is recommended that any vulnerable instances are patched before the PoC for the CVE-2022-47966 vulnerability is made public.

Is CVE-2022-47966 Under Active Exploitation?

There are no reports of the CVE-2022-47966 vulnerability being actively exploited, but it is at risk of being exploited once the PoC is made available.

It is known that Zoho’s ManageEngine products have previously been targeted by attackers to exploit various types of vulnerabilities. A previous remote code execution vulnerability (CVE-2022-35405) was added to CISA’s catalog to urge the patching in September 2022.

Is There a Mitigation Available?

Zoho has patched the vulnerable ManageEngine products, starting late October 2022, by updating the out-of-date dependency. To prevent attacks, it is strongly advised to patch the affected products. The ManageEngine advisory for CVE-2022-47966 can be found here.

How Can SOCRadar Help?

Follow the latest vulnerabilities on Vulnerability Intelligence via SOCRadar, be aware of recent risks, and better prioritize your actions. SOCRadar collects information on all vulnerabilities and presents it to you in an actionable format, in an easier-to-manage feed, and notifies you by ASM in case a vulnerability affects your organization.

Use SOCRadar’s Vulnerability Intelligence to stay updated on vulnerabilities