DIVD-2023-00004 - Unauthenticated Remote Command Execution using SAML in Zoho ManageEngine
|Case lead||Max van der Horst|
|Product||Zoho ManageEngine OnPremise|
|Recommendation||Update your ManageEngine instance to the next version. The patched version is the next version number for all vulnerable versions (e.g. 4307 > 4308).|
|Last modified||21 Apr 2023 15:12|
An unauthenticated Remote Command Execution vulnerability has been identified in Zoho ManageEngine. It is registered as CVE-2022-47966 and stems from an outdated Apache Santuario implementation. If SAML has been enabled to facilitate Single Sign-On (SSO), malicious actors can execute arbitrary code on ManageEngine instances by sending a malicious SAML response to the server.
What you can do
Update your ManageEngine instance to the next version after the mentioned vulnerable versions.
What we are doing
DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding ManageEngine instances with reachable SAMLResponseServlets and verifying their version.
|20 Jan 2023||DIVD starts researching fingerprint.|
|22 Jan 2023||DIVD identifies vulnerable parties.|
|24 Jan 2023||DIVD sends first round of notifications.|
|14 Feb 2023||DIVD conducts second scan and prepares second notification round.|
|25 Feb 2023||DIVD sends second round of notifications.|
|16 Apr 2023||DIVD conducted final scan.|
|17 Apr 2023||Case closed.|