Exploited
critical
9.8
Advisory Published
Updated

CVE-2022-47966: Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability

First published: Wed Jan 18 2023(Updated: )

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).

Credit: cve@mitre.org cve@mitre.org

Affected SoftwareAffected VersionHow to fix
Zohocorp Manageengine Access Manager Plus<4.3
Zohocorp Manageengine Access Manager Plus=4.3-build4300
Zohocorp Manageengine Access Manager Plus=4.3-build4301
Zohocorp Manageengine Access Manager Plus=4.3-build4302
Zohocorp Manageengine Access Manager Plus=4.3-build4303
Zohocorp Manageengine Access Manager Plus=4.3-build4304
Zohocorp Manageengine Access Manager Plus=4.3-build4305
Zohocorp Manageengine Access Manager Plus=4.3-build4306
Zohocorp Manageengine Access Manager Plus=4.3-build4307
Zohocorp Manageengine Ad360<4.3
Zohocorp Manageengine Ad360=4.3-4300
Zohocorp Manageengine Ad360=4.3-4302
Zohocorp Manageengine Ad360=4.3-4303
Zohocorp Manageengine Ad360=4.3-4304
Zohocorp Manageengine Ad360=4.3-4305
Zohocorp Manageengine Ad360=4.3-4306
Zohocorp Manageengine Ad360=4.3-4308
Zohocorp Manageengine Ad360=4.3-4309
Zohocorp Manageengine Adaudit Plus<7.0
Zohocorp Manageengine Adaudit Plus=7.0-7000
Zohocorp Manageengine Adaudit Plus=7.0-7002
Zohocorp Manageengine Adaudit Plus=7.0-7003
Zohocorp Manageengine Adaudit Plus=7.0-7004
Zohocorp Manageengine Adaudit Plus=7.0-7005
Zohocorp Manageengine Adaudit Plus=7.0-7006
Zohocorp Manageengine Adaudit Plus=7.0-7007
Zohocorp Manageengine Adaudit Plus=7.0-7008
Zohocorp Manageengine Adaudit Plus=7.0-7050
Zohocorp Manageengine Adaudit Plus=7.0-7051
Zohocorp Manageengine Adaudit Plus=7.0-7052
Zohocorp Manageengine Adaudit Plus=7.0-7053
Zohocorp Manageengine Adaudit Plus=7.0-7054
Zohocorp Manageengine Adaudit Plus=7.0-7055
Zohocorp Manageengine Adaudit Plus=7.0-7060
Zohocorp Manageengine Adaudit Plus=7.0-7062
Zohocorp Manageengine Adaudit Plus=7.0-7063
Zohocorp Manageengine Adaudit Plus=7.0-7065
Zohocorp Manageengine Adaudit Plus=7.0-7080
Zohocorp Manageengine Admanager Plus<7.1
Zohocorp Manageengine Admanager Plus=7.1-7100
Zohocorp Manageengine Admanager Plus=7.1-7101
Zohocorp Manageengine Admanager Plus=7.1-7102
Zohocorp Manageengine Admanager Plus=7.1-7110
Zohocorp Manageengine Admanager Plus=7.1-7111
Zohocorp Manageengine Admanager Plus=7.1-7112
Zohocorp Manageengine Admanager Plus=7.1-7113
Zohocorp Manageengine Admanager Plus=7.1-7114
Zohocorp Manageengine Admanager Plus=7.1-7115
Zohocorp Manageengine Admanager Plus=7.1-7116
Zohocorp Manageengine Admanager Plus=7.1-7117
Zohocorp Manageengine Admanager Plus=7.1-7118
Zohocorp Manageengine Admanager Plus=7.1-7120
Zohocorp Manageengine Admanager Plus=7.1-7121
Zohocorp Manageengine Admanager Plus=7.1-7122
Zohocorp Manageengine Admanager Plus=7.1-7123
Zohocorp Manageengine Admanager Plus=7.1-7124
Zohocorp Manageengine Admanager Plus=7.1-7125
Zohocorp Manageengine Admanager Plus=7.1-7126
Zohocorp Manageengine Admanager Plus=7.1-7130
Zohocorp Manageengine Admanager Plus=7.1-7131
Zohocorp Manageengine Admanager Plus=7.1-7140
Zohocorp Manageengine Admanager Plus=7.1-7141
Zohocorp Manageengine Admanager Plus=7.1-7150
Zohocorp Manageengine Admanager Plus=7.1-7151
Zohocorp Manageengine Admanager Plus=7.1-7160
Zohocorp Manageengine Admanager Plus=7.1-7161
Zohocorp Manageengine Adselfservice Plus<6.2
Zohocorp Manageengine Adselfservice Plus=6.2-6200
Zohocorp Manageengine Adselfservice Plus=6.2-6201
Zohocorp Manageengine Adselfservice Plus=6.2-6202
Zohocorp Manageengine Adselfservice Plus=6.2-6203
Zohocorp Manageengine Adselfservice Plus=6.2-6204
Zohocorp Manageengine Adselfservice Plus=6.2-6205
Zohocorp Manageengine Adselfservice Plus=6.2-6206
Zohocorp Manageengine Adselfservice Plus=6.2-6207
Zohocorp Manageengine Adselfservice Plus=6.2-6208
Zohocorp Manageengine Adselfservice Plus=6.2-6209
Zohocorp Manageengine Adselfservice Plus=6.2-6210
Zoho ManageEngine<5.1
Zoho ManageEngine=5.1-5100
Zoho ManageEngine=5.1-5110
Zoho ManageEngine=5.1-5120
Zoho ManageEngine=5.1-5121
Zoho ManageEngine=5.1-5130
Zoho ManageEngine=5.1-5140
Zohocorp Manageengine Assetexplorer<6.9
Zohocorp Manageengine Assetexplorer=6.9-6900
Zohocorp Manageengine Assetexplorer=6.9-6901
Zohocorp Manageengine Assetexplorer=6.9-6902
Zohocorp Manageengine Assetexplorer=6.9-6903
Zohocorp Manageengine Assetexplorer=6.9-6904
Zohocorp Manageengine Assetexplorer=6.9-6905
Zohocorp Manageengine Assetexplorer=6.9-6906
Zohocorp Manageengine Assetexplorer=6.9-6907
Zohocorp Manageengine Assetexplorer=6.9-6908
Zohocorp Manageengine Assetexplorer=6.9-6909
Zohocorp Manageengine Assetexplorer=6.9-6950
Zohocorp Manageengine Assetexplorer=6.9-6951
Zohocorp Manageengine Assetexplorer=6.9-6952
Zohocorp Manageengine Assetexplorer=6.9-6953
Zohocorp Manageengine Assetexplorer=6.9-6954
Zohocorp Manageengine Assetexplorer=6.9-6955
Zohocorp Manageengine Assetexplorer=6.9-6956
Zohocorp Manageengine Assetexplorer=6.9-6957
Zohocorp Manageengine Assetexplorer=6.9-6970
Zohocorp Manageengine Assetexplorer=6.9-6971
Zohocorp Manageengine Assetexplorer=6.9-6972
Zohocorp Manageengine Assetexplorer=6.9-6973
Zohocorp Manageengine Assetexplorer=6.9-6974
Zohocorp Manageengine Assetexplorer=6.9-6975
Zohocorp Manageengine Assetexplorer=6.9-6976
Zohocorp Manageengine Assetexplorer=6.9-6977
Zohocorp Manageengine Assetexplorer=6.9-6978
Zohocorp Manageengine Assetexplorer=6.9-6979
Zohocorp Manageengine Assetexplorer=6.9-6980
Zohocorp Manageengine Assetexplorer=6.9-6981
Zohocorp Manageengine Assetexplorer=6.9-6982
Zohocorp Manageengine Key Manager Plus<6.4
Zohocorp Manageengine Key Manager Plus=6.4-6400
Zohocorp Manageengine Pam360<5.7
Zohocorp Manageengine Pam360=5.7-build5700
Zohocorp Manageengine Pam360=5.7-build5710
Zohocorp Manageengine Pam360=5.7-build5711
Zohocorp Manageengine Pam360=5.7-build5712
Zohocorp Manageengine Password Manager Pro<12.1
Zohocorp Manageengine Password Manager Pro=12.1-build12100
Zohocorp Manageengine Password Manager Pro=12.1-build12101
Zohocorp Manageengine Password Manager Pro=12.1-build12110
Zohocorp Manageengine Password Manager Pro=12.1-build12120
Zohocorp Manageengine Password Manager Pro=12.1-build12121
Zohocorp Manageengine Password Manager Pro=12.1-build12122
Zohocorp Manageengine Password Manager Pro=12.1-build12123
Zohocorp Manageengine Servicedesk Plus<14.0
Zohocorp Manageengine Servicedesk Plus=14.0-14000
Zohocorp Manageengine Servicedesk Plus=14.0-14001
Zohocorp Manageengine Servicedesk Plus=14.0-14002
Zohocorp Manageengine Servicedesk Plus=14.0-14003
Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus<13.0
Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus=13.0-13000
Zohocorp Manageengine Supportcenter Plus=11.0-11017
Zohocorp Manageengine Supportcenter Plus=11.0-11018
Zohocorp Manageengine Supportcenter Plus=11.0-11019
Zohocorp Manageengine Supportcenter Plus=11.0-11020
Zohocorp Manageengine Supportcenter Plus=11.0-11021
Zohocorp Manageengine Supportcenter Plus=11.0-11022
Zohocorp Manageengine Supportcenter Plus=11.0-11024
Zohocorp Manageengine Supportcenter Plus=11.0-11025
Zoho ManageEngine<=10.1.220.17
Zohocorp Manageengine Browser Security Plus<=11.1.2238.5
Zohocorp Manageengine Desktop Central<=10.1.2228.10
Zohocorp Manageengine Desktop Central<=10.1.2228.10
Zoho ManageEngine<=10.1.2220.17
Zohocorp Manageengine Endpoint Dlp Plus<=10.1.2137.5
Zohocorp Manageengine Os Deployer<=1.1.2243.0
Zoho ManageEngine<=10.1.2220.17
Zohocorp Manageengine Remote Access Plus<=10.1.2228.10
Zoho ManageEngine<=10.1.40
Zoho ManageEngine<=10.1.2220.17

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203