CVE-2022-47966 Explained: Zoho ManageEngine Unauthenticated RCE via SAML (CVSS 9.8)
A CVSS 9.8 pre-authentication remote code execution vulnerability affecting up to 24 Zoho ManageEngine products simultaneously. Exploited by multiple APT groups within weeks of disclosure, it leverages a vulnerable third-party XML signature library in the SAML authentication stack.
CVE-2022-47966 is a pre-authentication remote code execution vulnerability affecting up to 24 Zoho ManageEngine products. It scores CVSS 9.8 and requires no authentication — only network access to the ManageEngine web interface. The root cause is a vulnerable version of Apache Santuario (XML Security for Java) embedded in the ManageEngine SAML SSO implementation. An attacker sends a crafted SAML response with a malicious XML signature, which the vulnerable library fails to correctly validate, allowing arbitrary code execution on the server.
ManageEngine products are widely deployed in enterprise IT departments for help desk ticketing, endpoint management, network monitoring, Active Directory management, and privileged access management. A compromised ManageEngine server typically has broad internal network access — credentials for managed systems, connections to Active Directory, and administrative access to endpoints. This makes ManageEngine a high-value lateral movement pivot for threat actors who achieve initial access.
How CVE-2022-47966 Works: XML Signature Wrapping in SAML
Security Assertion Markup Language (SAML) is an XML-based authentication protocol used for single sign-on. When a user authenticates via a SAML Identity Provider (IdP), the IdP sends a signed XML assertion to the service provider (in this case ManageEngine). The service provider validates the XML signature to confirm the assertion is genuine.
Apache Santuario is the library ManageEngine used for XML digital signature validation. The vulnerability is an XML Signature Wrapping (XSW) attack — a class of attack where the attacker manipulates the structure of the XML document such that the signature validates a benign portion of the document while the application's business logic reads a different, attacker-controlled portion.
In practice: the attacker constructs a SAML response containing a legitimate signed element alongside a separate malicious element. The signature validation passes (it correctly validates the signed element), but ManageEngine's application code processes the attacker-controlled element instead — interpreting it as an authenticated admin assertion. The vulnerability exploited against ManageEngine allowed the SAML processing to trigger code execution, not merely authentication bypass.
Identify ManageEngine deployments with SAML enabled
ManageEngine web portals are identifiable by their login page branding. SAML-enabled instances have a different login flow. However, instances where SAML was previously enabled but disabled are also vulnerable — attackers attempt exploitation regardless of current SAML UI state.
Craft malicious SAML response
Construct an XML SAML response with a wrapped structure: a legitimately-signed innocuous element alongside a malicious element containing the attacker's payload. The Apache Santuario library validates the signature on the benign element and passes the check.
POST crafted SAML response to ManageEngine endpoint
Submit the crafted SAML response to the ManageEngine SAML assertion consumer endpoint (typically /samlLogin or similar). No valid IdP session or prior authentication is required.
ManageEngine processes attacker-controlled XML
ManageEngine's application code processes the attacker's malicious XML element rather than the signed benign one. The code execution trigger is activated — typically via a deserialization gadget or expression language injection embedded in the SAML attribute values.
Execute commands as ManageEngine service account
Commands execute with the privileges of the ManageEngine application service — typically a Windows service account with significant domain privileges, or a Linux service user with access to all managed system credentials.
Scope and Nation-State Exploitation
The breadth of affected products makes CVE-2022-47966 unusual. A single vulnerable library in the SAML implementation meant that any ManageEngine product using that library for SAML was affected — spanning help desk, endpoint management, network management, firewall analysis, and privileged access management products. An organisation running multiple ManageEngine products had multiple simultaneously vulnerable entry points.
Secureworks documented exploitation campaigns consistent with APT41 (Double Dragon) — a prolific Chinese state-sponsored threat actor with a dual mandate of espionage and financial crime. APT41 has a documented history of targeting ManageEngine products, previously exploiting CVE-2021-40539 (ADSelfService Plus) and CVE-2022-35405 (Password Manager Pro). ManageEngine products are attractive APT targets because they hold credentials for a wide range of managed systems — compromising the management layer provides access to managed infrastructure.
“Within hours of the proof-of-concept for CVE-2022-47966 being published, Secureworks observed multiple threat actors scanning and exploiting ManageEngine servers. The speed of exploitation underscores the importance of patching ManageEngine products on an emergency basis.”
— Secureworks, January 2023
Patching and Remediating CVE-2022-47966
Each affected ManageEngine product has a specific patched build number. Organisations running multiple ManageEngine products must patch each one individually.
Identify all ManageEngine products in your environment
Conduct a full inventory. The full list of affected products is in Zoho's advisory. Organisations frequently run multiple ManageEngine products — ServiceDesk Plus for tickets, Desktop Central for endpoints, ADManager Plus for AD, and OpManager for network monitoring. Each requires independent patching.
Upgrade each product to its specific patched build
Patch versions vary by product and vary by whether SAML is in use. Zoho's advisory specifies the minimum safe build number for each affected product. Do not assume that patching one product patches others — the library is independently embedded in each.
Audit ManageEngine servers for compromise indicators
Check for: new scheduled tasks or services, new local administrator accounts, outbound connections to unfamiliar IPs, web shells in the ManageEngine web directory, and persistence mechanisms in autorun locations. ManageEngine servers often run as SYSTEM or a high-privilege service account — post-compromise lateral movement is rapid.
Rotate credentials stored in or accessible to ManageEngine
ManageEngine products store credentials for managed systems. ServiceDesk Plus may store email server credentials, LDAP bind credentials, and integration API keys. Desktop Central stores endpoints' local admin credentials. Rotate all credentials stored in or accessible from compromised ManageEngine instances.
The bottom line
CVE-2022-47966 is a supply-chain-of-libraries vulnerability: a single vulnerable version of Apache Santuario embedded across 24 products simultaneously created 24 independent pre-authentication RCE attack surfaces. The pattern is not unique to ManageEngine — any product suite sharing a vulnerable common component inherits the vulnerability across the entire suite.
The APT attraction to ManageEngine is straightforward: IT management software holds privileged access to the systems it manages. Compromising the management layer is compromising the managed infrastructure. For security teams, ManageEngine and similar IT management platforms should receive the same vulnerability prioritisation urgency as perimeter infrastructure — because from an attacker's perspective, they effectively are the perimeter.
Frequently asked questions
What is CVE-2022-47966?
CVE-2022-47966 is a CVSS 9.8 pre-authentication remote code execution vulnerability in Zoho ManageEngine products that use Apache Santuario (XML Security for Java) for SAML authentication. A flaw in the XML signature validation allows an attacker to supply a malicious SAML response that bypasses signature verification and triggers code execution on the ManageEngine server. SAML SSO must have been enabled at some point (even if subsequently disabled) for the attack path to exist.
Which ManageEngine products are affected by CVE-2022-47966?
Up to 24 ManageEngine products are affected, including: ServiceDesk Plus, ServiceDesk Plus MSP, SupportCenter Plus, AssetExplorer, Desktop Central (now Endpoint Central), ADSelfService Plus, ADManager Plus, ADAudit Plus, OpManager, OpManager Plus, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, PAM360, Access Manager Plus, and others. The full list is in Zoho's advisory. All require SAML SSO to have been enabled.
Does SAML need to be currently enabled for CVE-2022-47966 to be exploitable?
No. CVE-2022-47966 can be exploited if SAML SSO was enabled at any point — even if it was subsequently disabled. Disabling SAML in the ManageEngine UI may not fully remove the vulnerable code path. The safe remediation is upgrading to the patched version of each affected product.
Was CVE-2022-47966 exploited in the wild?
Yes, rapidly. CISA added CVE-2022-47966 to the KEV catalog in January 2023. Secureworks documented exploitation by a threat actor consistent with APT41 (Chinese state-sponsored) targeting ManageEngine ServiceDesk Plus in critical infrastructure organisations. Multiple other unattributed exploitation campaigns were also observed.
How do I fix CVE-2022-47966?
Upgrade each affected ManageEngine product to the patched version specified in Zoho's advisory (build numbers vary by product). If you cannot patch immediately, disable SAML SSO — but note that disabling SAML in the UI may not fully eliminate the vulnerable code path; patching is the only complete fix. After patching, audit for signs of prior compromise including unexpected scheduled tasks, new local admin accounts, and lateral movement from ManageEngine servers.
Sources & references
- NVD
- Zoho ManageEngine Security Advisory
- CISA Known Exploited Vulnerabilities Catalog
- Rapid7 — CVE-2022-47966 ManageEngine RCE Analysis
- Secureworks — ManageEngine CVE-2022-47966 Exploitation
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.