CVE-2022-47966

Warnung

Exploit

EPSS 94.43%
Veröffentlicht 18.01.2023 18:15:10
Zuletzt bearbeitet 07.03.2025 17:12:53
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 13

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Zohocorp ≫ Manageengine Access Manager Plus Version < 4.3

Zohocorp ≫ Manageengine Access Manager Plus Version4.3 Updatebuild4300

Zohocorp ≫ Manageengine Access Manager Plus Version4.3 Updatebuild4301

Zohocorp ≫ Manageengine Access Manager Plus Version4.3 Updatebuild4302

Zohocorp ≫ Manageengine Access Manager Plus Version4.3 Updatebuild4303

Zohocorp ≫ Manageengine Access Manager Plus Version4.3 Updatebuild4304

Zohocorp ≫ Manageengine Access Manager Plus Version4.3 Updatebuild4305

Zohocorp ≫ Manageengine Access Manager Plus Version4.3 Updatebuild4306

Zohocorp ≫ Manageengine Access Manager Plus Version4.3 Updatebuild4307

Zohocorp ≫ Manageengine Ad360 Version < 4.3

Zohocorp ≫ Manageengine Ad360 Version4.3 Update4300

Zohocorp ≫ Manageengine Ad360 Version4.3 Update4302

Zohocorp ≫ Manageengine Ad360 Version4.3 Update4303

Zohocorp ≫ Manageengine Ad360 Version4.3 Update4304

Zohocorp ≫ Manageengine Ad360 Version4.3 Update4305

Zohocorp ≫ Manageengine Ad360 Version4.3 Update4306

Zohocorp ≫ Manageengine Ad360 Version4.3 Update4308

Zohocorp ≫ Manageengine Ad360 Version4.3 Update4309

Zohocorp ≫ Manageengine Adaudit Plus Version < 7.0

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7000

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7002

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7003

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7004

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7005

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7006

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7007

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7008

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7050

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7051

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7052

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7053

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7054

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7055

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7060

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7062

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7063

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7065

Zohocorp ≫ Manageengine Adaudit Plus Version7.0 Update7080

Zohocorp ≫ Manageengine Admanager Plus Version < 7.1

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7100

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7101

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7102

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7110

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7111

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7112

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7113

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7114

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7115

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7116

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7117

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7118

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7120

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7121

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7122

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7123

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7124

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7125

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7126

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7130

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7131

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7140

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7141

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7150

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7151

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7160

Zohocorp ≫ Manageengine Admanager Plus Version7.1 Update7161

Zohocorp ≫ Manageengine Adselfservice Plus Version < 6.2

Zohocorp ≫ Manageengine Adselfservice Plus Version6.2 Update6200

Zohocorp ≫ Manageengine Adselfservice Plus Version6.2 Update6201

Zohocorp ≫ Manageengine Adselfservice Plus Version6.2 Update6202

Zohocorp ≫ Manageengine Adselfservice Plus Version6.2 Update6203

Zohocorp ≫ Manageengine Adselfservice Plus Version6.2 Update6204

Zohocorp ≫ Manageengine Adselfservice Plus Version6.2 Update6205

Zohocorp ≫ Manageengine Adselfservice Plus Version6.2 Update6206

Zohocorp ≫ Manageengine Adselfservice Plus Version6.2 Update6207

Zohocorp ≫ Manageengine Adselfservice Plus Version6.2 Update6208

Zohocorp ≫ Manageengine Adselfservice Plus Version6.2 Update6209

Zohocorp ≫ Manageengine Adselfservice Plus Version6.2 Update6210

Zohocorp ≫ Manageengine Analytics Plus Version < 5.1

Zohocorp ≫ Manageengine Analytics Plus Version5.1 Update5100

Zohocorp ≫ Manageengine Analytics Plus Version5.1 Update5110

Zohocorp ≫ Manageengine Analytics Plus Version5.1 Update5120

Zohocorp ≫ Manageengine Analytics Plus Version5.1 Update5121

Zohocorp ≫ Manageengine Analytics Plus Version5.1 Update5130

Zohocorp ≫ Manageengine Analytics Plus Version5.1 Update5140

Zohocorp ≫ Manageengine Assetexplorer Version < 6.9

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6900

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6901

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6902

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6903

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6904

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6905

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6906

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6907

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6908

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6909

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6950

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6951

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6952

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6953

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6954

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6955

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6956

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6957

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6970

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6971

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6972

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6973

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6974

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6975

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6976

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6977

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6978

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6979

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6980

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6981

Zohocorp ≫ Manageengine Assetexplorer Version6.9 Update6982

Zohocorp ≫ Manageengine Key Manager Plus Version < 6.4

Zohocorp ≫ Manageengine Key Manager Plus Version6.4 Update6400

Zohocorp ≫ Manageengine Pam360 Version < 5.7

Zohocorp ≫ Manageengine Pam360 Version5.7 Updatebuild5700

Zohocorp ≫ Manageengine Pam360 Version5.7 Updatebuild5710

Zohocorp ≫ Manageengine Pam360 Version5.7 Updatebuild5711

Zohocorp ≫ Manageengine Pam360 Version5.7 Updatebuild5712

Zohocorp ≫ Manageengine Password Manager Pro Version < 12.1

Zohocorp ≫ Manageengine Password Manager Pro Version12.1 Updatebuild12100

Zohocorp ≫ Manageengine Password Manager Pro Version12.1 Updatebuild12101

Zohocorp ≫ Manageengine Password Manager Pro Version12.1 Updatebuild12110

Zohocorp ≫ Manageengine Password Manager Pro Version12.1 Updatebuild12120

Zohocorp ≫ Manageengine Password Manager Pro Version12.1 Updatebuild12121

Zohocorp ≫ Manageengine Password Manager Pro Version12.1 Updatebuild12122

Zohocorp ≫ Manageengine Password Manager Pro Version12.1 Updatebuild12123

Zohocorp ≫ Manageengine Servicedesk Plus Version < 14.0

Zohocorp ≫ Manageengine Servicedesk Plus Version14.0 Update14000

Zohocorp ≫ Manageengine Servicedesk Plus Version14.0 Update14001

Zohocorp ≫ Manageengine Servicedesk Plus Version14.0 Update14002

Zohocorp ≫ Manageengine Servicedesk Plus Version14.0 Update14003

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version < 13.0

Zohocorp ≫ Manageengine Servicedesk Plus Msp Version13.0 Update13000

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11017

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11018

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11019

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11020

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11021

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11022

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11024

Zohocorp ≫ Manageengine Supportcenter Plus Version11.0 Update11025

Zohocorp ≫ Manageengine Application Control Plus Version < 10.1.220.18

Zohocorp ≫ Manageengine Browser Security Plus Version < 11.1.2238.6

Zohocorp ≫ Manageengine Device Control Plus Version < 10.1.2220.18

Zohocorp ≫ Manageengine Endpoint Dlp Plus Version < 10.1.2137.6

Zohocorp ≫ Manageengine Os Deployer Version < 1.1.2243.1

Zohocorp ≫ Manageengine Patch Manager Plus Version < 10.1.2220.18

Zohocorp ≫ Manageengine Remote Access Plus Version < 10.1.2228.11

Zohocorp ≫ Manageengine Remote Monitoring And Management Central Version < 10.1.41

Zohocorp ≫ Manageengine Vulnerability Manager Plus Version < 10.1.2220.18

23.01.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability

Schwachstelle

Multiple Zoho ManageEngine products contain an unauthenticated remote code execution vulnerability due to the usage of an outdated third-party dependency, Apache Santuario.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	94.43%	1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://packetstormsecurity.com/files/170882/Zoho-ManageEngine-ServiceDesk-Plus-14003-Remote-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

http://packetstormsecurity.com/files/170925/ManageEngine-ADSelfService-Plus-Unauthenticated-SAML-Remote-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

http://packetstormsecurity.com/files/170943/Zoho-ManageEngine-Endpoint-Central-MSP-10.1.2228.10-Remote-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry