SOCRadar® Cyber Intelligence Inc. | What Do You Need to Know About the Critical RCE Vulnerability in Zoho’s ManageEngine? (CVE-2022-47966)


Jan 17, 2023
3 Mins Read

What Do You Need to Know About the Critical RCE Vulnerability in Zoho’s ManageEngine? (CVE-2022-47966)

CVE-2022-47966, a critical vulnerability in a number of Zoho’s products, allows remote code execution without authentication. The use of a vulnerable third-party dependency called Apache Santuario is the root cause that enables the exploitation of the remote code execution vulnerability.

Every ManageEngine server that has at least once enabled SAML-based single-sign-on (SSO) is vulnerable to exploitation, whether it is active at the time of the attack or not.

An attacker could gain full control of the system by exploiting the CVE-2022-47966 vulnerability, which could enable an attacker to execute arbitrary code as NT AUTHORITYSYSTEM, a local account with very high privileges.

According to researchers, the vulnerability is simple to exploit and a good fit for spray and pray attacks. An attacker with System level access could dump credentials with LSASS (Local Security Authority Server Service) or choose to use other tools to obtain the credentials stored on the application, in order to move laterally.

Products Impacted by CVE-2022-47966

CVE-2022-47966 impacts all versions listed below and earlier. (*Exception)



Access Manager Plus


Active Directory 360


ADAudit Plus


ADManager Plus


ADSelfService Plus


Analytics Plus


Application Control Plus 
Patch Manager Plus 
Vulnerability Manager Plus 
Device Control Plus


Asset Explorer


Browser Security Plus


Endpoint Central 
Endpoint Central MSP 
Remote Access Plus


Endpoint DLP


Key Manager Plus


OS Deployer


PAM 360


Password Manager Pro


Remote Monitoring and Management


ServiceDesk Plus


ServiceDesk Plus MSP


SupportCenter Plus

11017 to 11025*

Is There a Proof-of-Concept for CVE-2022-47966?

Horizon3 has a proof-of-concept (PoC) exploit code that will be released this week; it is recommended that any vulnerable instances are patched before the PoC for the CVE-2022-47966 vulnerability is made public.

Is CVE-2022-47966 Under Active Exploitation?

There are no reports of the CVE-2022-47966 vulnerability being actively exploited, but it is at risk of being exploited once the PoC is made available.

It is known that Zoho’s ManageEngine products have previously been targeted by attackers to exploit various types of vulnerabilities. A previous remote code execution vulnerability (CVE-2022-35405) was added to CISA’s catalog to urge the patching in September 2022.

Is There a Mitigation Available?

Zoho has patched the vulnerable ManageEngine products, starting late October 2022, by updating the out-of-date dependency. To prevent attacks, it is strongly advised to patch the affected products. The ManageEngine advisory for CVE-2022-47966 can be found here.

How Can SOCRadar Help?

Follow the latest vulnerabilities on Vulnerability Intelligence via SOCRadar, be aware of recent risks, and better prioritize your actions. SOCRadar collects information on all vulnerabilities and presents it to you in an actionable format, in an easier-to-manage feed, and notifies you by ASM in case a vulnerability affects your organization.

Use SOCRadar’s Vulnerability Intelligence to stay updated on vulnerabilities