Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2022-47966

Published: 18/01/2023 Updated: 11/09/2023
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 0
Subscribe to Manageengine Access Manager Plus

Vulnerability Summary

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus prior to 4308, Active Directory 360 prior to 4310, ADAudit Plus prior to 7081, ADManager Plus prior to 7162, ADSelfService Plus prior to 6211, Analytics Plus prior to 5150, Application Control Plus prior to 10.1.2220.18, Asset Explorer prior to 6983, Browser Security Plus prior to 11.1.2238.6, Device Control Plus prior to 10.1.2220.18, Endpoint Central prior to 10.1.2228.11, Endpoint Central MSP prior to 10.1.2228.11, Endpoint DLP prior to 10.1.2137.6, Key Manager Plus prior to 6401, OS Deployer prior to 1.1.2243.1, PAM 360 prior to 5713, Password Manager Pro prior to 12124, Patch Manager Plus prior to 10.1.2220.18, Remote Access Plus prior to 10.1.2228.11, Remote Monitoring and Management (RMM) prior to 10.1.41. ServiceDesk Plus prior to 14004, ServiceDesk Plus MSP prior to 13001, SupportCenter Plus prior to 11026, and Vulnerability Manager Plus prior to 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

zohocorp manageengine access manager plus 4.3

zohocorp manageengine access manager plus

zohocorp manageengine ad360

zohocorp manageengine ad360 4.3

zohocorp manageengine adaudit plus 7.0

zohocorp manageengine adaudit plus

zohocorp manageengine admanager plus 7.1

zohocorp manageengine admanager plus

zohocorp manageengine adselfservice plus 6.2

zohocorp manageengine adselfservice plus

zohocorp manageengine analytics plus

zohocorp manageengine analytics plus 5.1

zohocorp manageengine assetexplorer 6.9

zohocorp manageengine assetexplorer

zohocorp manageengine key manager plus

zohocorp manageengine key manager plus 6.4

zohocorp manageengine pam360 5.7

zohocorp manageengine pam360

zohocorp manageengine password manager pro

zohocorp manageengine password manager pro 12.1

zohocorp manageengine servicedesk plus

zohocorp manageengine servicedesk plus 14.0

zohocorp manageengine servicedesk plus msp

zohocorp manageengine servicedesk plus msp 13.0

zohocorp manageengine supportcenter plus 11.0

zohocorp application control plus

zohocorp manageengine browser security plus

zohocorp manageengine device control plus

zohocorp manageengine desktop central

zohocorp manageengine endpoint dlp plus

zohocorp manageengine os deployer

zohocorp manageengine patch manager plus

zohocorp manageengine remote access plus

zohocorp manageengine vulnerability manager plus

zohocorp manageengine rmm central

Vendor Advisories

Red Hat:
DescriptionThe MITRE CVE dictionary describes this issue as: Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 141, because the xmlsec XSLT features, by design in that version, make the application responsible for certain secu ...

Exploits

Exploit DB: ManageEngine ADSelfService Plus Unauthenticated SAML Remote Code Execution
This Metasploit module exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine AdSelfService Plus versions 6210 and below Due to a dependency to an outdated library (Apache Santuario version 141), it is possible to execute arbitrary code by providing a crafted samlResponse XML to the ADSelfService Plus SAML ...
Exploit DB: Zoho ManageEngine ServiceDesk Plus 14003 Remote Code Execution
This Metasploit module exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (CVE-2022-47966) Due to a dependency to an outdated library (Apache Santuario version 141), it is possible to execute arbitrary code by providing a crafted samlResponse XML to the Service ...
Exploit DB: Zoho ManageEngine Endpoint Central / MSP 10.1.2228.10 Remote Code Execution
This Metasploit module exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine Endpoint Central and MSP versions 101222810 and below (CVE-2022-47966) Due to a dependency to an outdated library (Apache Santuario version 141), it is possible to execute arbitrary code by providing a crafted samlResponse XML ...
Exploit DB: ManageEngine ADSelfService Plus Unauthenticated SAML RCE
This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine AdSelfService Plus versions 6210 and below (CVE-2022-47966) Due to a dependency to an outdated library (Apache Santuario version 141), it is possible to execute arbitrary code by providing a crafted `samlRes ...
Exploit DB: ManageEngine ServiceDesk Plus Unauthenticated SAML RCE
This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (CVE-2022-47966) Due to a dependency to an outdated library (Apache Santuario version 141), it is possible to execute arbitrary code by providing a crafted `samlResp ...

Metasploit Modules

ManageEngine ADSelfService Plus Unauthenticated SAML RCE

This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine AdSelfService Plus versions 6210 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted `samlResponse` XML to the ADSelfService Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.

msf > use exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966
msf exploit(manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > show targets
    ...targets...
msf exploit(manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > set TARGET < target-id >
msf exploit(manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > show options
    ...show and set options...
msf exploit(manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > exploit
ManageEngine ServiceDesk Plus Unauthenticated SAML RCE

This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted `samlResponse` XML to the ServiceDesk Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.

msf > use exploit/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966
msf exploit(manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > show targets
    ...targets...
msf exploit(manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set TARGET < target-id >
msf exploit(manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > show options
    ...show and set options...
msf exploit(manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > exploit

Github Repositories

https://github.com/ACE-Responder/CVE-2022-47966_checker

Run on your ManageEngine server

CVE-2022-47966_checker Quick and dirty powershell script to look for ManageEngine CVE-2022-47966 IOCs The script will parse requests in ME HTTP access logs If a characteristic SAML request is found, it will attempt to decode and extract the attacker's payload Findings are written to C:\aceresponder_CVE-2022-47966_checkercsv Run as Admin Fair warning: these logs don&#

https://github.com/horizon3ai/CVE-2022-47966

POC for CVE-2022-47966 affecting multiple ManageEngine products

CVE-2022-47966 POC for CVE-2022-47966 affecting the following ManageEngine products: Access Manager Plus Active Directory 360 ADAudit Plus ADManager Plus ADSelfService Plus Analytics Plus Application Control Plus Asset Explorer Browser Security Plus Device Control Plus Endpoint Central Endpoint Central MSP Endpoint DLP Key Manager Plus OS Deployer PAM 360 Password Manager Pro

https://github.com/Inplex-sys/CVE-2022-47966

The manage engine mass loader for CVE-2022-47966

CVE-2022-47966 (ManageEngine RCE 2022) This repo is part of the hgrab-framework Installation Install the app on the server user@domain:~# git clone githubcom/Inplex-sys/CVE-2022-47966git user@domain:~# cd /CVE-2022-47966/ user@domain:~# python3 mainpy &lt;listtxt&gt; &lt;command&gt; The list file must contain t

https://github.com/zhiqingff/H2-Goat

H2-Goat - text in red + text in green ! text in orange # text in gray @@ text in purple (and bold)@@ Read the summarize Security Misconfiguration When we are isntalling the new application or the old password still using in the new application, the application might be vulnerable The way to prevent this situatin is delete the features,

https://github.com/shameem-testing/PoC-for-ME-SAML-Vulnerability

PoC for cve-2022-47966

PoC-for-ME-SAML-Vulnerability PoC for cve-2022-47966 To test, send it to /SamlResponseServlet as POST Request Base64 encode it and give it as value to SAMLResponse Parameter and send Format POST /SamlResponseServlet HTTP/10 Host: SAMLResponse=&amp;RelayState=

https://github.com/vonahisec/CVE-2022-47966-Scan

Python scanner for CVE-2022-47966. Supports ~10 of the 24 affected products.

CVE-2022-47966 Scanner About CVE-2022-47966 is a critical unauthenticated remote code execution vulnerability affecting at least 24 on-premise ManageEngine products The vulnerability applies only if SAML SSO is enabled For some products it also applies if SAML SSO was previously enabled Timeline CVE-2022-47966 was discoverd by Khoadha of Viettel Cyber Security and seems to

Recent Articles

Ransomware: Attacks Continue to Rise as Operators Adapt to Disruption
Symantec Threat Intelligence Blog • Threat Hunter Team • 12 Mar 2024

Available evidence suggests vulnerability exploitation has replaced botnets as a prime infection vector.

Posted: 12 Mar, 20244 Min ReadThreat Intelligence SubscribeFollowtwitterlinkedinRansomware: Attacks Continue to Rise as Operators Adapt to DisruptionAvailable evidence suggests vulnerability exploitation has replaced botnets as a prime infection vector.Ransomware activity remains on an upward trend despite the number of attacks claimed by ransomware actors decreasing by slightly more than 20% in the fourth quarter of 2023. Attackers have co...

Read more...

References

NVD-CWE-noinfohttps://github.com/apache/santuario-xml-security-java/tags?after=1.4.6https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.htmlhttp://packetstormsecurity.com/files/170882/Zoho-ManageEngine-ServiceDesk-Plus-14003-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/170925/ManageEngine-ADSelfService-Plus-Unauthenticated-SAML-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/170943/Zoho-ManageEngine-Endpoint-Central-MSP-10.1.2228.10-Remote-Code-Execution.htmlhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250ahttps://github.com/horizon3ai/CVE-2022-47966https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966/rapid7-analysishttps://blog.viettelcybersecurity.com/saml-show-stopper/https://nvd.nist.govhttps://github.com/ACE-Responder/CVE-2022-47966_checkerhttps://packetstormsecurity.com/files/170925/ManageEngine-ADSelfService-Plus-Unauthenticated-SAML-Remote-Code-Execution.htmlhttps://access.redhat.com/security/cve/cve-2022-47966
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-21987buffer overflowCVE-2024-28890CVE-2024-27574CVE-2024-27347CVE-2024-31450privilegeSSTICVE-2024-31666
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook