FortiGuard Labs is aware of a report that Proof-of-Concept code for a critical Zoho ManageEngine RCE vulnerability is actively exploited was released to the public. Patched in October and November, 2022, the vulnerability affects multiple on-premise ManageEngine products and allows attackers to perform remote code execution with SYSTEM level privileges.Why is this Significant?Although a patch is available for the Zoho ManageEngine RCE vulnerability (CVE-2022-47966), proof -of-concept code is now available to the public and exploit attempts for CVE-2022-47966 are expected to pick up because of it. Patch should be applied as soon as possible.What is CVE-2022-47966?The vulnerability affects multiple on-premise ManageEngine products due to use of Apache Santuario. Successful exploitation of the vulnerability allows attackers to perform remote code execution with SYSTEM level privileges. The vulnerability exists only when Security Assertion Markup Language (SAML) Single Sing On (SSO) is enabled or was enabled depending on the Zoho ManageEngine products.Has the Vendor Released an Advisory for CVE-2022-47966?Yes, the advisory is available. See the Appendix for a link to “Security advisory for remote code execution vulnerability in multiple ManageEngine products”.Which ManageEngine Products are Vulnerable to CVE-2022-47966?Affected ManageEngine products are available in the advisory.Has the Vendor Released a Patch for CVE-2022-47966?Yes, a patch was released in October 27th, 28th, and November 11th in 2022 depending on the ManageEngine products.What is the Status of Protection?FortiGuard Labs released the following IPS signature in version xxx for CVE-2022-47966:Zoho.ManageEngine.xmlsec.SAML.SSO.Remote.Code.Execution (default action is set to “pass”)
Proof-of-Concept Released for Zoho ManageEngine RCE vulnerability (CVE-2022-47966)
Read Time:1 Minute, 23 Second