CVE-2022-47966

What is Zoho ManageEngine?

Zoho ManageEngine is a suite of enterprise IT management products used by organizations globally for IT service management, active directory management, password vaulting, network monitoring, endpoint management, and more. The affected products span many of ManageEngine's core offerings, including ServiceDesk Plus, ADManager Plus, ADSelfService Plus, SupportCenter Plus, and others — each of which has a significant enterprise and government customer base. ManageEngine products are frequently internet-accessible to support remote IT operations, making them attractive targets for threat actors seeking initial network access or privileged credential access.

Overview

CVE-2022-47966 is a critical pre-authentication remote code execution vulnerability (CVSS 9.8) affecting numerous Zoho ManageEngine products that have SAML SSO enabled. The vulnerability arises from ManageEngine's use of an outdated version of the Apache Santuario XML Security library for Java. When SAML SSO is configured, the vulnerable library can be exploited via an XML Signature Wrapping (XSW) attack — allowing an unauthenticated attacker to send a specially crafted SAML response that triggers arbitrary code execution on the ManageEngine server. ransomwareUse: true. Rapid7 confirmed active exploitation within 48 hours of PoC publication.

Affected Versions

More than 20 ManageEngine products are affected when SAML SSO is or was historically enabled. Key affected products include:

Products that never had SAML SSO configured are not vulnerable. Check ManageEngine's advisory for the complete product list and fixed build numbers.

Technical Details

The vulnerability stems from ManageEngine's bundled Apache Santuario library (used for XML digital signature verification in SAML SSO flows) being outdated and lacking critical security fixes.

In SAML Single Sign-On, an Identity Provider (IdP) sends a signed XML SAML assertion to the service provider (ManageEngine) to authenticate a user. The signature is supposed to guarantee the assertion's integrity. XML Signature Wrapping (XSW) attacks exploit implementations that incorrectly validate which XML element the signature covers — allowing an attacker to craft a SAML response where a valid signature covers a benign element, while a malicious payload is inserted elsewhere in the document structure.

The outdated Apache Santuario version in ManageEngine fails to correctly identify the signed element, accepting the manipulated SAML response as valid. Once the malicious SAML assertion is processed, the attacker's controlled content is executed in the context of the ManageEngine application server — achieving unauthenticated code execution.

The exploit requires SAML SSO to be currently or previously enabled on the ManageEngine product. Even if SAML is disabled at the time of the attack, historically enabled SAML configurations may leave the vulnerable code path accessible.

Discovery

Discovered by security researchers at Horizon3.ai, who published a detailed technical analysis on January 10, 2023, along with indicators of compromise. Rapid7's MDR team documented active exploitation beginning almost immediately after the PoC was published.

Exploitation Context

CVE-2022-47966 was rapidly exploited by both opportunistic and targeted threat actors, reflecting the high value of ManageEngine products as initial access targets:

• Ransomware groups: Several ransomware operators used the vulnerability for initial access before deploying encryption payloads across enterprise environments
• State-sponsored actors: A joint advisory from CISA and FBI documented APT groups targeting ManageEngine products throughout 2022–2023 for initial access to defense, critical infrastructure, and healthcare organizations
• Post-exploitation patterns: After gaining initial RCE, threat actors commonly deployed webshells, harvested ManageEngine service account credentials, and moved laterally using Active Directory access granted to ManageEngine's monitoring functions

The breadth of the vulnerability (20+ products) combined with ManageEngine's extensive enterprise deployment base made it a highly impactful exploit campaign.

Remediation

1. Update all affected ManageEngine products: Apply the patched builds listed in the ManageEngine advisory. Each product has a specific fixed build number — verify each product independently.
2. Disable SAML SSO if not needed: If SAML SSO is not in use, disable it in each ManageEngine product to remove the vulnerable attack surface.
3. Audit for exploitation indicators: Check for webshells in ManageEngine web directories, new administrator accounts, unexpected scheduled tasks, and processes spawned by the ManageEngine service account.
4. Review authentication logs: Examine SAML authentication logs for requests from unknown IdP sources or malformed assertions.
5. Rotate ManageEngine service account credentials: ManageEngine service accounts often have broad Active Directory access — treat them as potentially compromised and rotate accordingly.
6. Apply defense-in-depth: Restrict internet access to ManageEngine management interfaces; require VPN for remote administration.