Security News > 2023 > January > PoC for critical ManageEngine bug to be released, so get patching! (CVE-2022-47966)

PoC for critical ManageEngine bug to be released, so get patching! (CVE-2022-47966)
2023-01-17 12:39

If your enterprise is running ManageEngine products that were affected by CVE-2022-47966, check now whether they've been updated to a non-vulnerable version because Horizon3's will be releasing technical details and a PoC exploit this week.

CVE-2022-47966 is an unauthenticated remote code execution vulnerability that has been found by a researcher with Viettel Cyber Security in two dozen ManageEngine products, including Access Manager Plus, ADSelfService Plus, Endpoint DLP, Password Manager Pro, PAM360, ServiceDesk Plus, and others.

The source of the vulnerability was an outdated version of the Apache Santuario library, which provides implementation of security standards for XML. The vulnerability is only exploitable if SAML single sign-on is currently or has been previously enabled on those products, and can be exploited by crafting a SAML request with an invalid signature.

The company released fixed versions of each product throughout October and November 2022 and, hopefully, most organizations have already upgraded their installations.

Attackers often take advantage of flaws in Zoho's ManageEngine offerings.

"ManageEngine products are some of the most widely used across enterprises and perform business functions such as authentication, authorization, and identity management. Given the nature of these products, a vulnerability such as this poses critical risk to organizations allowing attackers initial access, if exposed to the internet, and the ability for lateral movement with highly privileged credentials," Horseman pointed out.


News URL

https://www.helpnetsecurity.com/2023/01/17/cve-2022-47966-poc/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-01-18 CVE-2022-47966 Unspecified vulnerability in Zohocorp products
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.
network
low complexity
zohocorp
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Manageengine 9 0 3 4 3 10