Zoho ManageEngine, unauthenticated RCE via SAML SSO XML signature bypass

Overview

CVE-2022-47966 is a critical unauthenticated remote code execution (RCE) vulnerability affecting 24+ Zoho ManageEngine on-premises products. The flaw stems from the use of an outdated Apache Santuario (XML Security for Java) library version 1.4.1, which improperly handles XSLT transformations during SAML SSO XML signature validation. When SAML-based single sign-on is configured-or was ever configured in the past-an unauthenticated network attacker can exploit this vulnerability to execute arbitrary code on the target system.

Technical Details

The vulnerability exists because Apache Santuario 1.4.1 delegates certain XSLT-related signature validation responsibilities to the consuming application. ManageEngine products bundling this library fail to enforce these validation checks properly. An attacker can craft a malicious SAML response containing specially constructed XSLT transforms and send it to the SSO endpoint. When the vulnerable ManageEngine application processes this response, it executes the embedded XSLT transforms, which can invoke arbitrary Java code.

Critically, the vulnerable endpoint may remain accessible even if SAML SSO has been disabled after initial configuration, meaning organizations that previously tested or used SAML authentication remain at risk.

A public proof-of-concept exploit was released by Horizon3.ai in January 2023, significantly lowering the barrier to exploitation.

Impact

The impact of this vulnerability is severe. Affected products include ADSelfService Plus, ServiceDesk Plus, Endpoint Central, and Password Manager Pro-tools commonly deployed by managed service providers (MSPs) and enterprises. These applications typically store privileged Active Directory credentials and operate in close proximity to domain controllers. Successful exploitation effectively grants attackers domain administrator-level access.

Following public PoC release, mass exploitation occurred throughout January 2023. Security vendors including Bitdefender documented ransomware deployments by groups such as Buhti and RA Group. Additionally, the Lazarus Group subgroup deployed QuiteRAT malware post-exploitation. CISA added CVE-2022-47966 to its Known Exploited Vulnerabilities (KEV) catalog.

Mitigation

1. Patch immediately: Apply updates per Zoho's official CVE-2022-47966 advisory matrix for all ManageEngine products.
2. Audit SAML configuration history: Verify whether SAML SSO was ever configured, as disabled configurations may still expose the vulnerable endpoint.
3. Network segmentation: Restrict management web UI access to administrative subnets only.
4. Review Zoho advisories: Each affected product has specific patched versions documented in Zoho's security bulletins.

Detection

1. Hunt for indicators of compromise (IOCs) published by Horizon3.ai.
2. Sweep systems for webshell artifacts commonly deployed post-exploitation.
3. Monitor for anomalous SAML authentication requests to ManageEngine endpoints.
4. Review logs for unusual Java process spawning or outbound network connections from ManageEngine application servers.