Web Application SecurityZoho.ManageEngine.xmlsec.SAML.SSO.Remote.Code.Execution
Description
This indicates an attack attempt to exploit a Remote Code Execution Vulnerability in Zoho Corporation ManageEngine Products with SAML OSS enabled.
The vulnerability is due to improper validation user input when handle an crafted SAML response. A remote attacker can exploit the vulnerability by sending a crafted request to the target server. Successful exploitation could lead to remote code execution in the context of the system.
Outbreak Alert
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus, Password Manager Pro and ADSelfService Plus, allow remote code execution due to the usage of an outdated third party dependency, Apache Santuario. Successful exploitation could lead to remote code execution and evidence of exploitation in the wild by Advanced Persistent Threat (APT) Groups.
Affected Products
Zoho ManageEngine Access Manager Plus version 4307 and prior
Zoho ManageEngine Active Directory 360 version 4309 and prior
Zoho ManageEngine ADAudit Plus version 7080 and prior
Zoho ManageEngine ADManager Plus version 7161 and prior
Zoho ManageEngine ADSelfService Plus version 6210 and prior
Zoho ManageEngine Analytics Plus version 5140 and prior
Zoho ManageEngine Application Control Plus version 10.1.2220.17 and prior
Zoho ManageEngine Asset Explorer version 6982 and prior
Zoho ManageEngine Browser Security Plus version 11.1.2238.5 and prior
Zoho ManageEngine Device Control Plus version 10.1.2220.17 and prior
Zoho ManageEngine Endpoint Central version 10.1.2228.10 and prior
Zoho ManageEngine Endpoint Central MSP version 10.1.2228.10 and prior
Zoho ManageEngine Endpoint DLP version 10.1.2137.5 and prior
Zoho ManageEngine Key Manager Plus version 6400 and prior
Zoho ManageEngine OS Deployer version 1.1.2243.0 and prior
Zoho ManageEngine PAM 360 version 5712 and prior
Zoho ManageEngine Password Manager Pro version 12123 and prior
Zoho ManageEngine Patch Manager Plus version 10.1.2220.17 and prior
Zoho ManageEngine Remote Access Plus version 10.1.2228.10 and prior
Zoho ManageEngine Remote Monitoring and Management (RMM) version 10.1.40 and prior
Zoho ManageEngine ServiceDesk Plus version 14003 and prior
Zoho ManageEngine ServiceDesk Plus MSP version 13000 and prior
Zoho ManageEngine SupportCenter Plus version 11017 to version 11025
Zoho ManageEngine Vulnerability Manager Plus version 10.1.2220.17 and prior
Impact
System Compromise: Remote attackers can gain control of vulnerable systems.
Recommended Actions
Apply the most recent upgrade or patch from the vendor.
https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2023-02-28 | 0.00342 |
CVE References
CVE-2022-47966| ID | 1090501688 |
| Created | Feb 28, 2023 |
| Updated | Feb 28, 2023 |
| Outbreak Alert | Zoho ManageEngine RCE |
| Risk |
|
| Default Action | pass |
| Active | |
| Affected OS | Windows |
| Affected App | Other |
| Engine Version | 5.0.0 or later |