CVE-2022-47966

CVE-2022-47966 is a critical-severity vulnerability in Zohocorp Manageengine Access Manager Plus with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-01-23). The underlying weakness is classified as CWE-20.

Key facts

Description

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).

CVE-2022-47966: Zoho ManageEngine Multiple Products SAML RCE

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2022-47966
CVSS v3 9.8 (CRITICAL)
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE CWE-20: Improper Input Validation
EPSS 0.99753 (99.95th percentile)
KEV Yes (CISA, since 2023-01-23)
EU Exploited Yes (since 2023-01-23)
Published 2023-01-18

Summary

Multiple Zoho ManageEngine on-premise products are vulnerable to unauthenticated remote code execution. The vulnerability exists because these products use Apache Santuario xmlsec (XML Security for Java) version 1.4.1 for SAML authentication. In this version, xmlsec's XSLT processing features place the responsibility for security protections on the calling application. The ManageEngine applications failed to implement these protections, allowing attackers to inject malicious XSLT content into SAML responses and achieve arbitrary code execution.

Exploitation is only possible if SAML single sign-on (SSO) has ever been configured for a product. For some products, SAML SSO must also be currently active.

Background

SAML (Security Assertion Markup Language) 2.0 is an XML-based authentication and authorization protocol widely used for enterprise single sign-on. When a user authenticates through an identity provider (IdP), the IdP sends a SAML assertion to the service provider (SP) — in this case, the ManageEngine product. The SP validates the cryptographic signature on the SAML assertion using an XML security library.

Zoho ManageEngine uses Apache Santuario xmlsec 1.4.1 to handle XML signature validation. This version of the library supports XSLT (Extensible Stylesheet Language Transformations) processing as part of the XML security pipeline. XSLT is a powerful Turing-complete language that can execute arbitrary logic during transformation, including the ability to invoke external resources and, in vulnerable contexts, execute system commands.

Root Cause

The root cause is categorized as CWE-20: Improper Input Validation.

Apache Santuario xmlsec 1.4.1 does not disable XSLT transformations by default. Instead, it delegates the responsibility of restricting dangerous transforms to the application using the library. The ManageEngine applications did not implement the necessary security controls to:

  1. Restrict XSLT transforms during XML signature validation.
  2. Validate or sanitize the contents of SAML assertions before processing.
  3. Disable dangerous XML features such as external entity resolution and XSLT script execution.

Consequently, an attacker who can craft or intercept a SAML response can embed a malicious XSLT stylesheet. When the ManageEngine product attempts to validate the SAML assertion's signature, the XSLT engine processes the attacker-controlled stylesheet, leading to remote code execution on the server.

Impact

The vulnerability is rated CRITICAL with a CVSS v3.1 base score of 9.8.

Metric Value
Attack Vector (AV) Network — exploitable remotely without network boundary restrictions
Attack Complexity (AC) Low — no special conditions or bypasses required
Privileges Required (PR) None — completely unauthenticated
User Interaction (UI) None — no victim interaction needed
Scope (S) Unchanged — impact limited to the vulnerable component
Confidentiality (C) High — total information disclosure
Integrity (I) High — complete data and system compromise
Availability (A) High — complete system shutdown possible

A successful attack allows an unauthenticated remote attacker to execute arbitrary code with the privileges of the application server. Given that many ManageEngine products run with administrative or SYSTEM-level privileges in enterprise environments, this typically results in full domain or infrastructure compromise.

Exploitation Walkthrough

Ethics Notice: This section describes the exploitation concept from a defensive perspective. No weaponized exploit code is provided. Security professionals should use this understanding to improve detection and hardening only.

The exploitation flow follows the SAML authentication sequence:

  1. Reconnaissance: The attacker identifies a ManageEngine product with SAML SSO configured. This may be observable from login pages, metadata endpoints, or network scanning.

  2. SAML Response Crafting: The attacker constructs a SAML assertion or response. Because some products accept self-signed or attacker-controlled assertions (depending on configuration), the attacker may not need to compromise a legitimate IdP. The SAML XML embeds an XSLT stylesheet within a <Transform> element inside the <SignedInfo> block.

  3. XSLT Injection: The malicious XSLT payload leverages XSLT extension functions (such as Java-specific extensions) to load and execute arbitrary Java classes or invoke runtime system commands. The payload is embedded in what appears to be a legitimate SAML message.

  4. Signature Wrapping: In some variants, the attacker uses XML signature wrapping techniques to ensure the application validates one portion of the document (the benign portion) while processing another (the malicious XSLT portion).

  5. Delivery: The crafted SAML response is sent to the product's SAML assertion consumer service (ACS) endpoint, typically via an HTTP POST request.

  6. Execution: The application passes the SAML response to xmlsec 1.4.1 for signature validation. The library processes the XSLT transform, executing the attacker's payload and yielding remote code execution.

Defensive Takeaway: The presence of SAML SSO configuration is the primary precondition. Organizations should treat any ManageEngine product with SAML history as potentially exploitable, even if SAML is currently disabled.

Affected and Patched Versions

The following Zoho ManageEngine products and versions are affected. Unless noted, upgrade to the version listed as "before" the patch threshold (i.e., the patch version is the first safe one):

Product Affected Versions Patched Version
Access Manager Plus All before 4308 4308 or later
Active Directory 360 (AD360) All before 4310 4310 or later
ADAudit Plus All before 7081 7081 or later
ADManager Plus All before 7162 7162 or later
ADSelfService Plus All before 6211 6211 or later
Analytics Plus All before 5150 5150 or later
Application Control Plus All before 10.1.2220.18 10.1.2220.18 or later
Asset Explorer All before 6983 6983 or later
Browser Security Plus All before 11.1.2238.6 11.1.2238.6 or later
Device Control Plus All before 10.1.2220.18 10.1.2220.18 or later
Endpoint Central All before 10.1.2228.11 10.1.2228.11 or later
Endpoint Central MSP All before 10.1.2228.11 10.1.2228.11 or later
Endpoint DLP Plus All before 10.1.2137.6 10.1.2137.6 or later
Key Manager Plus All before 6401 6401 or later
OS Deployer All before 1.1.2243.1 1.1.2243.1 or later
PAM 360 All before 5713 5713 or later
Password Manager Pro All before 12124 12124 or later
Patch Manager Plus All before 10.1.2220.18 10.1.2220.18 or later
Remote Access Plus All before 10.1.2228.11 10.1.2228.11 or later
Remote Monitoring and Management (RMM) All before 10.1.41 10.1.41 or later
ServiceDesk Plus All before 14004 14004 or later
ServiceDesk Plus MSP All before 13001 13001 or later
SupportCenter Plus All before 11026 11026 or later
Vulnerability Manager Plus All before 10.1.2220.18 10.1.2220.18 or later

Remediation

  1. Immediate Upgrade: Apply the relevant security patches from Zoho ManageEngine immediately. The vendor released patches in January 2023. Refer to the official advisory for exact download links.

  2. Disable SAML SSO (Temporary): If patching is not immediately possible and the product has SAML SSO enabled, consider disabling SAML SSO and reverting to local authentication until the patch is applied. Note that for some products, merely having SAML SSO configured in the past is sufficient for exploitation.

  3. Network Segmentation: Restrict access to ManageEngine products to authorized administrative hosts and VPNs. Do not expose these products directly to the internet unless absolutely necessary.

  4. Web Application Firewall (WAF): Deploy WAF rules to detect and block SAML responses containing XSLT transforms or suspicious XML payloads. However, WAF bypass techniques exist, so this should not be considered a standalone fix.

  5. Compensating Controls:

    • Monitor SAML ACS endpoints for unusual POST requests.
    • Ensure ManageEngine services run with least-privilege accounts rather than SYSTEM or root where possible.
    • Review SAML configuration files and metadata for unauthorized changes.

Detection

Security teams should monitor for the following indicators:

  • Unexpected SAML POST requests to /saml/SSO or similar ACS endpoints, especially from unusual source IPs.
  • XML payloads containing XSLT elements (<xsl:stylesheet>, <xsl:transform>, or <Transform Algorithm="http://www.w3.org/1999/XSL/Transform">) in HTTP POST bodies to SAML endpoints.
  • Process spawning anomalies on ManageEngine servers, such as cmd.exe, powershell.exe, or unexpected Java subprocesses.
  • Outbound network connections from ManageEngine application servers to unexpected destinations, which may indicate reverse shells or payload retrieval.
  • File system modifications in web application directories or temporary folders associated with the application server.
  • SIEM Rules: Correlation rules detecting large or complex XML payloads to SAML endpoints combined with subsequent process execution events.

Assessment

EPSS Context: With an EPSS score of 0.99753 (99.95th percentile), this vulnerability is among the most likely to be exploited in the wild. The extremely high EPSS reflects active exploitation, public proof-of-concept availability, and the vulnerability's presence in the CISA KEV catalog.

KEV Status: CISA added CVE-2022-47966 to the Known Exploited Vulnerabilities catalog on 2023-01-23. Federal agencies were required to remediate by early 2023. The EU also flagged this vulnerability as exploited since the same date.

Lessons Learned:

  1. Third-party library hygiene is critical. The vulnerability was not in ManageEngine's own code but in how it used Apache Santuario xmlsec 1.4.1. Organizations must track not just direct dependencies but also the security assumptions and required configuration hardening for each library.

  2. SAML is a high-risk attack surface. Any product implementing SAML should undergo rigorous security review of its XML processing pipeline, including XSLT transforms, external entities, and signature wrapping defenses.

References

Frequently asked questions

What is CVE-2022-47966?
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).
How severe is CVE-2022-47966?
CVE-2022-47966 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2022-47966 being actively exploited?
Yes. CVE-2022-47966 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-01-23, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2022-47966?
CVE-2022-47966 primarily affects Zohocorp Manageengine Access Manager Plus. In total, 156 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2022-47966?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2022-47966 have an EU (EUVD) identifier?
Yes. CVE-2022-47966 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-50684. It is also flagged as exploited in the EUVD (since 2023-01-23).
When was CVE-2022-47966 published?
CVE-2022-47966 was published on 2023-01-18 and last updated on 2026-06-17.

References

Affected products (156)

More vulnerabilities in Zohocorp Manageengine Access Manager Plus

All CVEs affecting Zohocorp Manageengine Access Manager Plus →

Other CWE-20 (Improper Input Validation) vulnerabilities

Browse all CWE-20 (Improper Input Validation) vulnerabilities →