Critical ManageEngine RCE Bug: Exploit now available

A proof-of-concept exploit is available now for remote code execution (RCE), vulnerability in several Zoho ManageEngine products.

The pre-authentication RCE flaw can be tracked as CVE-20222-47966. It is caused by an obsolete and potentially vulnerable Apache Santuario Library.

If the SAML-based single sign-on (SSO), is enabled or has been disabled at least once prior to the attack, unauthenticated threat actor can execute arbitrary Code on ManageEngine Instances.

Vulnerable software covers almost all ManageEngine products. However, they have been fixed in multiple waves that began on October 27, 2022 by updating third-party dependencies to secure versions.

Access Manager Plus Active Directory 360 OS Deployer
ADAudit Plus ADManager Plus Password Manager Pro
ADSelfService Plus Analytics Plus PAM 360
App Control Plus Asset Explorer Patch Manager Plus
Browser Security Plus Device Control Plus Remote Monitoring and Management
Endpoint Central Endpoint Central MSP Remote Access Plus
Endpoint DLP Key Manager Plus ServiceDesk Plus
ServiceDesk Plus MSP SupportCenter Plus Vulnerability manager Plus

Horizon3 security researchers published a , and earlier today. This follows a that an HTML2-2022-47966 PoC would be made available in the latter part of this week.

Researchers stated that the vulnerability allowed an attacker to execute remote code by sending a HTTP request with a malignant SAML response.

They added that “This POC exploits the preauthentication remote code execution vulnerability in order to execute a command using Java’s Runtime.exec”

Horizon3 said that the PoC exploit was successfully tested against ServiceDesk Plus, Endpoint Central and ServiceDesk Plus. They “expect this POC will work on many ManageEngine products which share some codebases with ServiceDesk Plus/EndpointCentral.”

CVE-2022-47966 PoC exploit (Horizon3)

Horizon3 previously published exploit codes for critical security flaws within several products.

  • An attack on Active Directory accounts can be done by exploiting a flaw in Zoho ManageEngine ADAudit PLUS.
  • is a critical flaw that allows remote code execution on F5 BIG IP networking devices.
  • is a critical bypass vulnerability in several VMware products which can allow threat actors to gain administrator privileges.

Attacks of’spray-and-pray’

Horizon3 researchers warned last week of an attack wave after PoC is published. “The vulnerability is easy-to-exploit and is a great candidate for attackers’ to’spray’ across the Internet,” they said.

Shodan exposed thousands of ServiceDesk Plus servers and Endpoint Central servers unpatched, with approximately 10% of detected devices being exposed to CVE-20222-47966 attacks due to their SAML enabled.

Although there have been no attacks on this vulnerability or attempts to exploit it, the threat actors are likely to move fast to create custom RCE exploits using Horizon3’s PoC codes.

Recent years have seen a lot of financial motivated, state-backed threats to Zoho ManageEngine servers.

After compromising Internet-exposed Desktop Central instances, in July 2020, threat actors sold their access to the breached networks .

They were targeted by a campaign organized by using tactics, techniques and procedures (TTPs), similar to the Chinese APT27 hacking team.

CISA and FBI jointly issued joint advisory [ and ] in response to these attacks on ManageEngine. These advisories were to warn against state-backed attackers using ManageEngine bugs to attack critical infrastructure organisations.