- 13/2023
- Critical
ManageEngine has released a security update to address a critical vulnerability affecting multiple products.
The severity of the addressed vulnerability could allow the remote attacker to execute arbitrary code on the system by sending a specially-crafted request.
It should be highlighted that the admins of ManageEngine were warned about a proof-of-concept (POC) that has been created to exploit the vulnerability.
In addition, The vulnerability is exploitable when SAML is enabled in the ManageEngine setup or exploitable if configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.
Multiple ManageEngine Products Code Execution (CVE-2022-47966):
• CVSS: 9.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Gain Access
Vulnerabilities
- CVE-2022-47966
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.