CVE-2022-47966
CVE-2022-47966 is a critical-severity vulnerability in Zohocorp Manageengine Access Manager Plus with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-01-23). The underlying weakness is classified as CWE-20.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-01-23)
- EU (EUVD) id: EUVD-2022-50684
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-01-23)
- Weakness: CWE-20
- Affected product: Zohocorp Manageengine Access Manager Plus
- Published:
- Last modified:
Description
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).
CVE-2022-47966: Zoho ManageEngine Multiple Products SAML RCE
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2022-47966 |
| CVSS v3 | 9.8 (CRITICAL) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-20: Improper Input Validation |
| EPSS | 0.99753 (99.95th percentile) |
| KEV | Yes (CISA, since 2023-01-23) |
| EU Exploited | Yes (since 2023-01-23) |
| Published | 2023-01-18 |
Summary
Multiple Zoho ManageEngine on-premise products are vulnerable to unauthenticated remote code execution. The vulnerability exists because these products use Apache Santuario xmlsec (XML Security for Java) version 1.4.1 for SAML authentication. In this version, xmlsec's XSLT processing features place the responsibility for security protections on the calling application. The ManageEngine applications failed to implement these protections, allowing attackers to inject malicious XSLT content into SAML responses and achieve arbitrary code execution.
Exploitation is only possible if SAML single sign-on (SSO) has ever been configured for a product. For some products, SAML SSO must also be currently active.
Background
SAML (Security Assertion Markup Language) 2.0 is an XML-based authentication and authorization protocol widely used for enterprise single sign-on. When a user authenticates through an identity provider (IdP), the IdP sends a SAML assertion to the service provider (SP) — in this case, the ManageEngine product. The SP validates the cryptographic signature on the SAML assertion using an XML security library.
Zoho ManageEngine uses Apache Santuario xmlsec 1.4.1 to handle XML signature validation. This version of the library supports XSLT (Extensible Stylesheet Language Transformations) processing as part of the XML security pipeline. XSLT is a powerful Turing-complete language that can execute arbitrary logic during transformation, including the ability to invoke external resources and, in vulnerable contexts, execute system commands.
Root Cause
The root cause is categorized as CWE-20: Improper Input Validation.
Apache Santuario xmlsec 1.4.1 does not disable XSLT transformations by default. Instead, it delegates the responsibility of restricting dangerous transforms to the application using the library. The ManageEngine applications did not implement the necessary security controls to:
- Restrict XSLT transforms during XML signature validation.
- Validate or sanitize the contents of SAML assertions before processing.
- Disable dangerous XML features such as external entity resolution and XSLT script execution.
Consequently, an attacker who can craft or intercept a SAML response can embed a malicious XSLT stylesheet. When the ManageEngine product attempts to validate the SAML assertion's signature, the XSLT engine processes the attacker-controlled stylesheet, leading to remote code execution on the server.
Impact
The vulnerability is rated CRITICAL with a CVSS v3.1 base score of 9.8.
| Metric | Value |
|---|---|
| Attack Vector (AV) | Network — exploitable remotely without network boundary restrictions |
| Attack Complexity (AC) | Low — no special conditions or bypasses required |
| Privileges Required (PR) | None — completely unauthenticated |
| User Interaction (UI) | None — no victim interaction needed |
| Scope (S) | Unchanged — impact limited to the vulnerable component |
| Confidentiality (C) | High — total information disclosure |
| Integrity (I) | High — complete data and system compromise |
| Availability (A) | High — complete system shutdown possible |
A successful attack allows an unauthenticated remote attacker to execute arbitrary code with the privileges of the application server. Given that many ManageEngine products run with administrative or SYSTEM-level privileges in enterprise environments, this typically results in full domain or infrastructure compromise.
Exploitation Walkthrough
Ethics Notice: This section describes the exploitation concept from a defensive perspective. No weaponized exploit code is provided. Security professionals should use this understanding to improve detection and hardening only.
The exploitation flow follows the SAML authentication sequence:
-
Reconnaissance: The attacker identifies a ManageEngine product with SAML SSO configured. This may be observable from login pages, metadata endpoints, or network scanning.
-
SAML Response Crafting: The attacker constructs a SAML assertion or response. Because some products accept self-signed or attacker-controlled assertions (depending on configuration), the attacker may not need to compromise a legitimate IdP. The SAML XML embeds an XSLT stylesheet within a
<Transform>element inside the<SignedInfo>block. -
XSLT Injection: The malicious XSLT payload leverages XSLT extension functions (such as Java-specific extensions) to load and execute arbitrary Java classes or invoke runtime system commands. The payload is embedded in what appears to be a legitimate SAML message.
-
Signature Wrapping: In some variants, the attacker uses XML signature wrapping techniques to ensure the application validates one portion of the document (the benign portion) while processing another (the malicious XSLT portion).
-
Delivery: The crafted SAML response is sent to the product's SAML assertion consumer service (ACS) endpoint, typically via an HTTP POST request.
-
Execution: The application passes the SAML response to xmlsec 1.4.1 for signature validation. The library processes the XSLT transform, executing the attacker's payload and yielding remote code execution.
Defensive Takeaway: The presence of SAML SSO configuration is the primary precondition. Organizations should treat any ManageEngine product with SAML history as potentially exploitable, even if SAML is currently disabled.
Affected and Patched Versions
The following Zoho ManageEngine products and versions are affected. Unless noted, upgrade to the version listed as "before" the patch threshold (i.e., the patch version is the first safe one):
| Product | Affected Versions | Patched Version |
|---|---|---|
| Access Manager Plus | All before 4308 | 4308 or later |
| Active Directory 360 (AD360) | All before 4310 | 4310 or later |
| ADAudit Plus | All before 7081 | 7081 or later |
| ADManager Plus | All before 7162 | 7162 or later |
| ADSelfService Plus | All before 6211 | 6211 or later |
| Analytics Plus | All before 5150 | 5150 or later |
| Application Control Plus | All before 10.1.2220.18 | 10.1.2220.18 or later |
| Asset Explorer | All before 6983 | 6983 or later |
| Browser Security Plus | All before 11.1.2238.6 | 11.1.2238.6 or later |
| Device Control Plus | All before 10.1.2220.18 | 10.1.2220.18 or later |
| Endpoint Central | All before 10.1.2228.11 | 10.1.2228.11 or later |
| Endpoint Central MSP | All before 10.1.2228.11 | 10.1.2228.11 or later |
| Endpoint DLP Plus | All before 10.1.2137.6 | 10.1.2137.6 or later |
| Key Manager Plus | All before 6401 | 6401 or later |
| OS Deployer | All before 1.1.2243.1 | 1.1.2243.1 or later |
| PAM 360 | All before 5713 | 5713 or later |
| Password Manager Pro | All before 12124 | 12124 or later |
| Patch Manager Plus | All before 10.1.2220.18 | 10.1.2220.18 or later |
| Remote Access Plus | All before 10.1.2228.11 | 10.1.2228.11 or later |
| Remote Monitoring and Management (RMM) | All before 10.1.41 | 10.1.41 or later |
| ServiceDesk Plus | All before 14004 | 14004 or later |
| ServiceDesk Plus MSP | All before 13001 | 13001 or later |
| SupportCenter Plus | All before 11026 | 11026 or later |
| Vulnerability Manager Plus | All before 10.1.2220.18 | 10.1.2220.18 or later |
Remediation
-
Immediate Upgrade: Apply the relevant security patches from Zoho ManageEngine immediately. The vendor released patches in January 2023. Refer to the official advisory for exact download links.
-
Disable SAML SSO (Temporary): If patching is not immediately possible and the product has SAML SSO enabled, consider disabling SAML SSO and reverting to local authentication until the patch is applied. Note that for some products, merely having SAML SSO configured in the past is sufficient for exploitation.
-
Network Segmentation: Restrict access to ManageEngine products to authorized administrative hosts and VPNs. Do not expose these products directly to the internet unless absolutely necessary.
-
Web Application Firewall (WAF): Deploy WAF rules to detect and block SAML responses containing XSLT transforms or suspicious XML payloads. However, WAF bypass techniques exist, so this should not be considered a standalone fix.
-
Compensating Controls:
- Monitor SAML ACS endpoints for unusual POST requests.
- Ensure ManageEngine services run with least-privilege accounts rather than SYSTEM or root where possible.
- Review SAML configuration files and metadata for unauthorized changes.
Detection
Security teams should monitor for the following indicators:
- Unexpected SAML POST requests to
/saml/SSOor similar ACS endpoints, especially from unusual source IPs. - XML payloads containing XSLT elements (
<xsl:stylesheet>,<xsl:transform>, or<Transform Algorithm="http://www.w3.org/1999/XSL/Transform">) in HTTP POST bodies to SAML endpoints. - Process spawning anomalies on ManageEngine servers, such as
cmd.exe,powershell.exe, or unexpected Java subprocesses. - Outbound network connections from ManageEngine application servers to unexpected destinations, which may indicate reverse shells or payload retrieval.
- File system modifications in web application directories or temporary folders associated with the application server.
- SIEM Rules: Correlation rules detecting large or complex XML payloads to SAML endpoints combined with subsequent process execution events.
Assessment
EPSS Context: With an EPSS score of 0.99753 (99.95th percentile), this vulnerability is among the most likely to be exploited in the wild. The extremely high EPSS reflects active exploitation, public proof-of-concept availability, and the vulnerability's presence in the CISA KEV catalog.
KEV Status: CISA added CVE-2022-47966 to the Known Exploited Vulnerabilities catalog on 2023-01-23. Federal agencies were required to remediate by early 2023. The EU also flagged this vulnerability as exploited since the same date.
Lessons Learned:
-
Third-party library hygiene is critical. The vulnerability was not in ManageEngine's own code but in how it used Apache Santuario xmlsec 1.4.1. Organizations must track not just direct dependencies but also the security assumptions and required configuration hardening for each library.
-
SAML is a high-risk attack surface. Any product implementing SAML should undergo rigorous security review of its XML processing pipeline, including XSLT transforms, external entities, and signature wrapping defenses.
References
- https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html
- https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/
- https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966/rapid7-analysis
- https://blog.viettelcybersecurity.com/saml-show-stopper/
- https://github.com/horizon3ai/CVE-2022-47966
- https://github.com/apache/santuario-xml-security-java/tags?after=1.4.6
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-47966
- http://packetstormsecurity.com/files/170882/Zoho-ManageEngine-ServiceDesk-Plus-14003-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/170925/ManageEngine-ADSelfService-Plus-Unauthenticated-SAML-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/170943/Zoho-ManageEngine-Endpoint-Central-MSP-10.1.2228.10-Remote-Code-Execution.html
Frequently asked questions
- What is CVE-2022-47966?
- Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).
- How severe is CVE-2022-47966?
- CVE-2022-47966 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-47966 being actively exploited?
- Yes. CVE-2022-47966 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-01-23, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-47966?
- CVE-2022-47966 primarily affects Zohocorp Manageengine Access Manager Plus. In total, 156 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-47966?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-47966 have an EU (EUVD) identifier?
- Yes. CVE-2022-47966 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-50684. It is also flagged as exploited in the EUVD (since 2023-01-23).
- When was CVE-2022-47966 published?
- CVE-2022-47966 was published on 2023-01-18 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/170882/Zoho-ManageEngine-ServiceDesk-Plus-14003-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/170925/ManageEngine-ADSelfService-Plus-Unauthenticated-SAML-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/170943/Zoho-ManageEngine-Endpoint-Central-MSP-10.1.2228.10-Remote-Code-Execution.html
- https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966/rapid7-analysis
- https://blog.viettelcybersecurity.com/saml-show-stopper/
- https://github.com/apache/santuario-xml-security-java/tags?after=1.4.6
- https://github.com/horizon3ai/CVE-2022-47966
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a
- https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/
- https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-47966
Affected products (156)
- cpe:2.3:a:zohocorp:manageengine_access_manager_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4300:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4301:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4302:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4303:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4304:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4305:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4306:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4307:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.3:4300:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.3:4302:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.3:4303:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.3:4304:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.3:4305:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.3:4306:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.3:4308:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_ad360:4.3:4309:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7002:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7003:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7004:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7005:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7006:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7007:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7008:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7050:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7051:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7052:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7053:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7054:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7055:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7060:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7062:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7063:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7065:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7080:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_admanager_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_admanager_plus:7.1:7100:*:*:*:*:*:*
More vulnerabilities in Zohocorp Manageengine Access Manager Plus
- CVE-2022-47523 — Critical (CVSS 9.8): Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are…
- CVE-2022-43672 — Critical (CVSS 9.8): Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL…
- CVE-2022-43671 — Critical (CVSS 9.8): Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL…
- CVE-2022-40300 — Critical (CVSS 9.8): Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager…
- CVE-2022-35405 — Critical (CVSS 9.8): Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote…
- CVE-2022-29081 — Critical (CVSS 9.8): Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are…
All CVEs affecting Zohocorp Manageengine Access Manager Plus →
Other CWE-20 (Improper Input Validation) vulnerabilities
- CVE-2026-48316 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48281 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48277 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48055 — Critical (CVSS 10.0): Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and…
- CVE-2026-34910 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS…
- CVE-2026-33587 — Critical (CVSS 10.0): Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and…
Browse all CWE-20 (Improper Input Validation) vulnerabilities →