Later this week, Horizon3 researchers plan to release a Proof of Concept (PoC) exploit for CVE-2022-47966, a critical unauthenticated, remote code execution vulnerability in multiple ManageEngine products.
ManageEngine On-Demand/cloud products are not affected by this vulnerability.
Note: CVE-2022-47966 is dependent on the specific ManageEngine product. Some products are vulnerable if SAML single-sign-on is enabled OR has ever been enabled, while others require SAML single-sign-on to be currently enabled.
We assess it is highly likely threat actors will leverage the PoC exploit to exploit vulnerable ManageEngine products that are exposed to the Internet due to the ease of exploitation and privileges obtained after successful exploitation. Notably, threat actors have leveraged at least three ManageEngine RCE vulnerabilities in prior intrusions.
Impacted Products
| Product | Affected Versions | Fixed Versions |
| Vulnerable only if your organization has configured SAML-based SSO and it is currently active. | ||
| Access Manager Plus | 4307 and below | 4308 |
| Analytics Plus | 5140 and below | 5150 |
| Application Control Plus | 10.1.2220.17 and below | 10.1.2220.18 |
| Browser Security Plus | 11.1.2238.5 and below | 11.1.2238.6 |
| Device Control Plus | 10.1.2220.17 and below | 10.1.2220.18 |
| Endpoint Central | 10.1.2228.10 and below | 10.1.2228.11 |
| Endpoint Central MSP | 10.1.2228.10 and below | 10.1.2228.11 |
| Endpoint DLP | 10.1.2137.5 and below | 10.1.2137.6 |
| Key Manager Plus | 6400 and below | 6401 |
| OS Deployer | 1.1.2243.0 and below | 1.1.2243.1 |
| PAM 360 | 5712 and below | 5713 |
| Password Manager Pro | 12123 and below | 12124 |
| Patch Manager Plus | 10.1.2220.17 and below | 10.1.2220.18 |
| Remote Access Plus | 10.1.2228.10 and below | 10.1.2228.11 |
| Remote Monitoring and Management (RMM) | 10.1.40 and below | 10.1.41 |
| Vulnerability Manager Plus | 10.1.2220.17 and below | 10.1.2220.18 |
| Product | Affected Versions | Fixed Versions |
| Vulnerable only if your organization has configured SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status. | ||
| Active Directory 360 | 4309 and below | 4310 |
| ADAudit Plus | 7080 and below | 7081 |
| ADManager Plus | 7161 and below | 7162 |
| ADSelfService Plus | 6210 and below | 6211 |
| Asset Explorer | 6982 and below | 6983 |
| ServiceDesk Plus | 14003 and below | 14004 |
| ServiceDesk Plus MSP | 13000 and below | 13001 |
| SupportCenter Plus | 11017 to 11025 | 11026 |
Recommendation for CVE-2022-47966
Apply the Available Updates from ManageEngine
We strongly recommend applying the available updates from ManageEngine to prevent potential exploitation. We expect threat actors to begin leveraging the vulnerability in the near-term to obtain initial access into victim environments.
Fixed versions are provided above and can also be found here.
