CVE-2022-40770

HIGH

ManageEngine ServiceDesk Plus < 13.0 - Authenticated Command Injection

Title source: llm

Description

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users.

References (2)

Core 2

Core References

Vendor Advisory

https://manageengine.com

Vendor Advisory

https://www.manageengine.com/products/service-desk/CVE-2022-40770.html

Scores

CVSS v3 7.2

EPSS 0.6600

EPSS Percentile 98.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-77

Status published

Products (5)

zohocorp/manageengine_servicedesk_plus 13.0 13000 (11 CPE variants)

zohocorp/manageengine_servicedesk_plus < 13.0

zohocorp/manageengine_servicedesk_plus_msp 10.6 (12 CPE variants)

zohocorp/manageengine_servicedesk_plus_msp < 10.6

zohocorp/manageengine_supportcenter_plus 11.0 11000 (25 CPE variants)

Published Nov 23, 2022

Tracked Since Feb 18, 2026