CVE-2022-47966

CRITICAL KEV RANSOMWARE NUCLEI

ManageEngine ADSelfService Plus Unauthenticated SAML RCE

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2022-47966 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 23, 2023, with confirmed use in ransomware campaigns. EIP tracks 8 public exploits from researchers including horizon3ai, vonahisec, SystemVll, including a Metasploit module exploits/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2022-47966, a pre-authentication RCE vulnerability in ManageEngine products using Apache Santuario (xmlsec) <= 1.4.1. It crafts a malicious SAML response with embedded XSLT to execute arbitrary commands via Java's Runtime.exec.

Description

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).

Exploits (8)

nomisec WORKING POC 127 stars
by horizon3ai · remote
https://github.com/horizon3ai/CVE-2022-47966

This PoC exploits CVE-2022-47966, a pre-authentication RCE vulnerability in ManageEngine products using Apache Santuario (xmlsec) <= 1.4.1. It crafts a malicious SAML response with embedded XSLT to execute arbitrary commands via Java's Runtime.exec.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine products (e.g., ServiceDesk Plus, Endpoint Central, ADManager Plus, ADSelfService Plus) with Apache Santuario <= 1.4.1
No auth needed
Prerequisites: Target URL with SAML endpoint · Command to execute
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 28 stars
by vonahisec · infoleak
https://github.com/vonahisec/CVE-2022-47966-Scan

This repository contains a scanner for CVE-2022-47966, a critical unauthenticated remote code execution vulnerability affecting multiple ManageEngine products. The scanner checks for the presence of the vulnerability by analyzing version information and SAML configuration status.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine products (e.g., ADAudit Plus, ADManager Plus, Asset Explorer, etc.)
No auth needed
Prerequisites: Target must be a ManageEngine product with SAML SSO enabled or previously enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 7 stars
by SystemVll · remote
https://github.com/SystemVll/CVE-2022-47966

This is a functional exploit for CVE-2022-47966, targeting ManageEngine products via SAML authentication bypass. It crafts a malicious SAML response with embedded XSLT to execute arbitrary commands on vulnerable systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine (multiple products, see vendor advisory)
No auth needed
Prerequisites: Network access to vulnerable ManageEngine instance · SAML endpoint exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 2 stars
by ACE-Responder · poc
https://github.com/ACE-Responder/CVE-2022-47966_checker

This PowerShell script scans ManageEngine ServiceDesk access logs for indicators of CVE-2022-47966 exploitation by detecting and decoding SAML responses containing malicious payloads. It exports findings to a CSV file for further analysis.

Classification
Scanner 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ManageEngine ServiceDesk
No auth needed
Prerequisites: Access to ManageEngine ServiceDesk access logs
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by shameem-testing · remote
https://github.com/shameem-testing/PoC-for-ME-SAML-Vulnerability

The repository provides minimal instructions for testing CVE-2022-47966, a SAML vulnerability, but lacks actual exploit code or payload details. It only describes the request format without technical implementation.

Classification
Stub 30%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Theoretical
Target: ManageEngine products with SAML authentication (specific versions not specified)
No auth needed
Prerequisites: Access to the target server's SAML endpoint · Ability to send crafted POST requests
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Khoa Dinh, horizon3ai, Christophe De La Fuente · rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966.rb

This Metasploit module exploits CVE-2022-47966, an unauthenticated RCE vulnerability in ManageEngine ServiceDesk Plus due to an outdated Apache Santuario library. It leverages a crafted SAML response to execute arbitrary code via XSLT transforms and Java URLClassLoader.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine ServiceDesk Plus versions 10511 to 14003
No auth needed
Prerequisites: SAML-based SSO must have been configured at least once on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Khoa Dinh, horizon3ai, Christophe De La Fuente · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966.rb

This Metasploit module exploits CVE-2022-47966, an unauthenticated RCE vulnerability in ManageEngine ADSelfService Plus via a crafted SAML response. It leverages an outdated Apache Santuario library to execute arbitrary commands through XSLT transformations.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine ADSelfService Plus versions 6210 and below
No auth needed
Prerequisites: Target must have been configured with SAML-based SSO at least once · Valid SAML endpoint GUID and Issuer URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Khoa Dinh, horizon3ai, Christophe De La Fuente · rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966.rb

This Metasploit module exploits CVE-2022-47966, an unauthenticated RCE vulnerability in ManageEngine Endpoint Central due to an outdated Apache Santuario library. It leverages a crafted SAML response with XSLT transforms to execute arbitrary Java or Windows commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine Endpoint Central and MSP versions <= 10.1.2228.10
No auth needed
Prerequisites: SAML-based SSO must be enabled on the target · Target must be running a vulnerable version of ManageEngine Endpoint Central
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

ManageEngine - Remote Command Execution
CRITICALVERIFIEDby rootxharsh,iamnoooob,DhiyaneshDK,pdresearch
Shodan: title:"ManageEngine" || http.title:"manageengine"
FOFA: title="manageengine"

References (11)

Core 11
Core References
Third Party Advisory, US Government Resource
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a

Scores

CVSS v3 9.8
EPSS 0.9438
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2023-01-23
VulnCheck KEV 2023-01-19
InTheWild.io 2023-01-20
ENISA EUVD EUVD-2022-50684
Ransomware Use Confirmed
CWE
CWE-20
Status published
Products (7)
zohocorp/manageengine_access_manager_plus 4.3 build4300 (8 CPE variants)
zohocorp/manageengine_access_manager_plus < 4.3
zohocorp/manageengine_ad360 4.3 4300 (8 CPE variants)
zohocorp/manageengine_ad360 < 4.3
zohocorp/manageengine_adaudit_plus 7.0 7000 (19 CPE variants)
zohocorp/manageengine_adaudit_plus < 7.0
zohocorp/manageengine_admanager_plus 7.1 7100 (12 CPE variants)
Published Jan 18, 2023
KEV Added Jan 23, 2023
Tracked Since Feb 18, 2026