CVE-2022-47966

CRITICAL
2023-01-18 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Mar 26, 2026 - 11:19 vuln.today
Added to CISA KEV
Oct 31, 2025 - 14:39 cisa
CISA KEV
PoC Detected
Oct 31, 2025 - 14:39 vuln.today
Public exploit code
Patch Released
Oct 31, 2025 - 14:39 nvd
Patch available
CVE Published
Jan 18, 2023 - 18:15 nvd
CRITICAL 9.8

Description

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).

Analysis

Multiple Zoho ManageEngine on-premise products allow unauthenticated remote code execution through SAML SSO functionality due to use of a vulnerable Apache XML Security library, massively exploited in January 2023.

Technical Context

The CWE-20 vulnerability leverages Apache XML Security for Java 1.4.1's XSLT processing during SAML signature verification. The library was designed to delegate security to the application, but ManageEngine's implementation doesn't restrict XSLT execution. Attackers send crafted SAML responses containing XSLT transforms that execute arbitrary Java code.

Affected Products

['Zoho ManageEngine ServiceDesk Plus through 14003', 'Multiple other ManageEngine on-premise products using SAML SSO']

Remediation

Apply ManageEngine security updates. Disable SAML SSO if not required. Monitor for unauthorized access to ManageEngine admin interfaces. Check for web shells in ManageEngine directories.

Priority Score

223
Low Medium High Critical
KEV: +50
EPSS: +94.4
CVSS: +49
POC: +20

Share

CVE-2022-47966 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy