The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2022-47966

CVE-2022-47966: ManageEngine Access Manager Plus RCE Flaw

CVE-2022-47966 is a remote code execution vulnerability in Zoho ManageEngine Access Manager Plus caused by insecure Apache xmlsec implementation. This article covers technical details, affected versions, and security measures.

Published: February 25, 2026

CVE-2022-47966 Overview

CVE-2022-47966 is a critical remote code execution vulnerability affecting multiple Zoho ManageEngine on-premise products. The vulnerability stems from the use of an outdated version of Apache Santuario xmlsec (XML Security for Java) version 1.4.1, which includes XSLT features that require the application to implement certain security protections. ManageEngine applications failed to provide these necessary protections, allowing unauthenticated attackers to execute arbitrary code on vulnerable systems.

The vulnerability is particularly dangerous because exploitation is possible against any product that has ever had SAML SSO configured—even if it is no longer active for some products. For other affected products, SAML SSO must be currently enabled. This vulnerability has been listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

Critical Impact

Unauthenticated remote attackers can achieve complete system compromise on affected ManageEngine servers, enabling data theft, lateral movement, and ransomware deployment. Active exploitation has been confirmed by CISA.

Affected Products

  • Zoho ManageEngine ServiceDesk Plus (before build 14004)
  • Zoho ManageEngine ADSelfService Plus (before build 6211)
  • Zoho ManageEngine Endpoint Central (before build 10.1.2228.11)
  • Zoho ManageEngine PAM360 (before build 5713)
  • Zoho ManageEngine Password Manager Pro (before build 12124)
  • Zoho ManageEngine Access Manager Plus (before build 4308)
  • Zoho ManageEngine AD360 (before build 4310)
  • Zoho ManageEngine ADAudit Plus (before build 7081)
  • Zoho ManageEngine ADManager Plus (before build 7162)
  • Zoho ManageEngine Analytics Plus (before build 5150)
  • Zoho ManageEngine AssetExplorer (before build 6983)
  • Zoho ManageEngine Key Manager Plus (before build 6401)
  • Zoho ManageEngine Application Control Plus (before build 10.1.2220.18)
  • Zoho ManageEngine Browser Security Plus (before build 11.1.2238.6)
  • Zoho ManageEngine Device Control Plus (before build 10.1.2220.18)
  • Zoho ManageEngine Endpoint DLP Plus (before build 10.1.2137.6)
  • Zoho ManageEngine OS Deployer (before build 1.1.2243.1)
  • Zoho ManageEngine Patch Manager Plus (before build 10.1.2220.18)
  • Zoho ManageEngine Remote Access Plus (before build 10.1.2228.11)
  • Zoho ManageEngine Remote Monitoring and Management (before build 10.1.41)
  • Zoho ManageEngine SupportCenter Plus (before build 11026)
  • Zoho ManageEngine Vulnerability Manager Plus (before build 10.1.2220.18)

Discovery Timeline

  • January 18, 2023 - CVE-2022-47966 published to NVD
  • October 31, 2025 - Last updated in NVD database

Technical Details for CVE-2022-47966

Vulnerability Analysis

This vulnerability exploits a fundamental security design flaw in Apache Santuario xmlsec version 1.4.1. The library's XSLT transformation features were designed with the expectation that the calling application would implement proper security controls around XML processing. ManageEngine products using this library did not implement the required security measures, creating a path for unauthenticated remote code execution.

When a user authenticates via SAML SSO, the ManageEngine application processes SAML assertions that may include XML signatures. The vulnerable xmlsec library processes these signatures without proper safeguards, allowing an attacker to inject malicious XSLT code within a crafted SAML response. This XSLT code is then executed by the server during signature validation, resulting in arbitrary code execution with the privileges of the ManageEngine service.

The attack requires no authentication and can be executed remotely over the network. The only prerequisite is that SAML SSO has been configured at some point on the target system—for certain products, SAML SSO must still be active, while for others, historical configuration is sufficient.

Root Cause

The root cause is the use of Apache Santuario xmlsec version 1.4.1, which included XSLT transformation capabilities without enforcing security restrictions. According to the library's design, applications were responsible for implementing their own security controls when using these XSLT features. ManageEngine applications failed to implement these protections, leaving the XSLT processor accessible to attacker-controlled input through SAML authentication flows.

The xmlsec library processes Transform elements within XML signatures, and when XSLT transforms are present, the library executes them without restriction. This allows attackers to craft SAML responses containing malicious XSLT that executes arbitrary Java code through the Runtime.exec() method or similar techniques.

Attack Vector

The attack vector involves sending a specially crafted SAML response to the ManageEngine application's SAML SSO endpoint. The SAML response contains a malicious XSLT stylesheet embedded within the XML signature's transform section. When the ManageEngine application attempts to verify the signature, the xmlsec library processes the XSLT transform, executing the attacker's payload.

The exploitation flow typically involves an attacker initiating a SAML authentication request to the vulnerable application, intercepting or crafting a malicious SAML response, and injecting XSLT code that leverages Java's scripting capabilities to execute system commands. Since the attack targets the authentication flow itself, no prior authentication is required, making this a pre-auth remote code execution vulnerability.

For technical details on exploitation mechanics, refer to the Horizon3 Deep Dive on CVE-2022-47966 and the Rapid7 CVE Analysis.

Detection Methods for CVE-2022-47966

Indicators of Compromise

  • Unexpected or malformed SAML authentication requests to ManageEngine SAML endpoints (typically /SamlResponseServlet or similar paths)
  • Process spawning from Java/ManageEngine service processes (e.g., cmd.exe, powershell.exe, /bin/bash spawned by Java processes)
  • Web server logs showing POST requests to SAML endpoints with unusually large payloads or XSLT content
  • Presence of unknown or suspicious files created by the ManageEngine service user in writable directories

Detection Strategies

  • Monitor for child process creation from ManageEngine Java processes, particularly shell interpreters or scripting engines
  • Implement network-level detection for SAML responses containing XSLT transform elements or suspicious Java class references
  • Deploy endpoint detection rules targeting the execution chain from Java to system shell commands
  • Review application logs for SAML authentication errors or parsing exceptions that may indicate exploitation attempts

Monitoring Recommendations

  • Enable verbose logging on all ManageEngine applications and forward logs to a SIEM for correlation
  • Establish baseline network traffic patterns for SAML endpoints and alert on deviations in request size or frequency
  • Implement file integrity monitoring on ManageEngine installation directories to detect unauthorized modifications
  • Monitor for lateral movement indicators following any successful compromise of ManageEngine systems

How to Mitigate CVE-2022-47966

Immediate Actions Required

  • Immediately patch all affected ManageEngine products to the versions specified in the ManageEngine Security Advisory
  • If patching is not immediately possible, disable SAML SSO authentication on all affected products until patches can be applied
  • Conduct a forensic review of ManageEngine systems to identify potential historical compromise, particularly if SAML SSO was previously or currently configured
  • Implement network segmentation to limit exposure of ManageEngine applications to untrusted networks

Patch Information

Zoho has released patches for all affected ManageEngine products. Organizations should upgrade to the following minimum versions:

  • ServiceDesk Plus: Build 14004 or later
  • ADSelfService Plus: Build 6211 or later
  • Endpoint Central/Endpoint Central MSP: Build 10.1.2228.11 or later
  • PAM360: Build 5713 or later
  • Password Manager Pro: Build 12124 or later
  • Access Manager Plus: Build 4308 or later

Complete version requirements for all 24 affected products are available in the official ManageEngine Security Advisory CVE-2022-47966. Due to the severity and active exploitation status confirmed by CISA, patching should be treated as an emergency priority.

Workarounds

  • Disable SAML SSO authentication entirely if patches cannot be immediately applied—this removes the attack surface
  • Restrict network access to ManageEngine applications using firewall rules, limiting connections to trusted internal IP ranges only
  • Place ManageEngine applications behind a web application firewall (WAF) capable of inspecting SAML payloads for malicious XSLT content
  • If SAML must remain enabled, implement strict IP allowlisting for identity provider connections
bash
# Example: Restrict access to ManageEngine ServiceDesk Plus SAML endpoint via iptables
# Allow only trusted IdP IP addresses to reach the SAML endpoint
iptables -A INPUT -p tcp --dport 8080 -s 10.0.1.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -s 10.0.1.101 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechManageengine
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability94.38%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CISA KEV Information
  • In CISA KEVYes
  • CWE References
  • NVD-CWE-noinfo
  • CWE-20
  • Technical References
  • Packet Storm RCE Advisory
  • Packet Storm RCE Advisory
  • Packet Storm RCE Advisory
  • Rapid7 CVE Analysis
  • Viettel Blog on SAML
  • GitHub XML Security Tags
  • GitHub PoC for CVE-2022-47966
  • CISA Cybersecurity Advisory
  • Horizon3 Deep Dive on CVE-2022-47966
  • CISA Known Exploited Vulnerabilities
  • Vendor Resources
  • ManageEngine Security Advisory CVE-2022-47966
  • Related CVEs
  • CVE-2025-3835: ManageEngine Exchange Reporter Plus RCE
  • CVE-2026-1367: ManageEngine ADSelfService Plus SQLi
  • CVE-2025-8324: ManageEngine Analytics Plus SQLi Flaw
  • CVE-2025-41444: ManageEngine ADAudit Plus SQLi Flaw
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English