CVE-2022-47966: Security Advisory from ManageEngine on RCE patched in 2022

Zoho ManageEngine has released a security advisory for CVE-2022-47966, a critical unauthenticated remote code execution vulnerability in several of its products. Curiously, the advisory comes two months after ManageEngine released patches.

The affected products are:

Access Manager Plus 

Active Directory 360  

ADAudit Plus  

ADManager Plus  

ADSelfService Plus  

Analytics Plus 

Application Control Plus 

Asset Explorer  

Browser Security Plus 

Device Control Plus 

Endpoint Central 

Endpoint Central MSP 

Endpoint DLP 

Key Manager Plus 

OS Deployer 

PAM 360 

Password Manager Pro 

Patch Manager Plus 

Remote Access Plus 

Remote Monitoring and Management (RMM) 

ServiceDesk Plus  

ServiceDesk Plus MSP  

SupportCenter Plus  

Vulnerability Manager Plus 

The vulnerability is caused by the use of an outdated version of Apache Santuario, an XML security software library. To be exploited, an unpatched target must have SAML-based SSO enabled or have had it enabled in the past, depending on the product. Patches for the affected products were released in late October and early November.

Product coverage for this vulnerability is currently being evaluated, and this post will be updated accordingly as developments unfold.