What Do You Need to Know About the Critical RCE Vulnerability in Zoho’s ManageEngine? (CVE-2022-47966)

CVE-2022-47966, a critical vulnerability in a number of Zoho’s products, allows remote code execution without authentication. The use of a vulnerable third-party dependency called Apache Santuario is the root cause that enables the exploitation of the remote code execution vulnerability.

Every ManageEngine server that has at least once enabled SAML-based single-sign-on (SSO) is vulnerable to exploitation, whether it is active at the time of the attack or not.

An attacker could gain full control of the system by exploiting the CVE-2022-47966 vulnerability, which could enable an attacker to execute arbitrary code as NT AUTHORITYSYSTEM, a local account with very high privileges.

According to researchers, the vulnerability is simple to exploit and a good fit for spray and pray attacks. An attacker with System level access could dump credentials with LSASS (Local Security Authority Server Service) or choose to use other tools to obtain the credentials stored on the application, in order to move laterally.

Products Impacted by CVE-2022-47966

CVE-2022-47966 impacts all versions listed below and earlier. (*Exception)

Product	Version
Access Manager Plus	4307
Active Directory 360	4309
ADAudit Plus	7080
ADManager Plus	7161
ADSelfService Plus	6210
Analytics Plus	5140
Application Control Plus Patch Manager Plus Vulnerability Manager Plus Device Control Plus	10.1.2220.17
Asset Explorer	6982
Browser Security Plus	11.1.2238.5
Endpoint Central Endpoint Central MSP Remote Access Plus	10.1.2228.10
Endpoint DLP	10.1.2137.5
Key Manager Plus	6400
OS Deployer	1.1.2243.0
PAM 360	5712
Password Manager Pro	12123
Remote Monitoring and Management	10.1.40
ServiceDesk Plus	14003
ServiceDesk Plus MSP	13000
SupportCenter Plus	11017 to 11025*

Is There a Proof-of-Concept for CVE-2022-47966?

Horizon3 has a proof-of-concept (PoC) exploit code that will be released this week; it is recommended that any vulnerable instances are patched before the PoC for the CVE-2022-47966 vulnerability is made public.

Is CVE-2022-47966 Under Active Exploitation?

There are no reports of the CVE-2022-47966 vulnerability being actively exploited, but it is at risk of being exploited once the PoC is made available.

It is known that Zoho’s ManageEngine products have previously been targeted by attackers to exploit various types of vulnerabilities. A previous remote code execution vulnerability (CVE-2022-35405) was added to CISA’s catalog to urge the patching in September 2022.

Is There a Mitigation Available?

Zoho has patched the vulnerable ManageEngine products, starting late October 2022, by updating the out-of-date dependency. To prevent attacks, it is strongly advised to patch the affected products. The ManageEngine advisory for CVE-2022-47966 can be found here.

How Can SOCRadar Help?

Follow the latest vulnerabilities on Vulnerability Intelligence via SOCRadar, be aware of recent risks, and better prioritize your actions. SOCRadar collects information on all vulnerabilities and presents it to you in an actionable format, in an easier-to-manage feed, and notifies you by ASM in case a vulnerability affects your organization.