Zoho · Active Directory 360 · CVE-2022-47966
**Name of the Vulnerable Software and Affected Versions**
Zoho ManageEngine ServiceDesk Plus versions prior to 14004
Zoho ManageEngine Access Manager Plus versions prior to 4308
Zoho ManageEngine Active Directory 360 versions prior to 4310
Zoho ManageEngine ADAudit Plus versions prior to 7081
Zoho ManageEngine ADManager Plus versions prior to 7162
Zoho ManageEngine ADSelfService Plus versions prior to 6211
Zoho ManageEngine Analytics Plus versions prior to 5150
Zoho ManageEngine Application Control Plus versions prior to 10.1.2220.18
Zoho ManageEngine Asset Explorer versions prior to 6983
Zoho ManageEngine Browser Security Plus versions prior to 11.1.2238.6
Zoho ManageEngine Device Control Plus versions prior to 10.1.2220.18
Zoho ManageEngine Endpoint Central versions prior to 10.1.2228.11
Zoho ManageEngine Endpoint Central MSP versions prior to 10.1.2228.11
Zoho ManageEngine Endpoint DLP versions prior to 10.1.2137.6
Zoho ManageEngine Key Manager Plus versions prior to 6401
Zoho ManageEngine OS Deployer versions prior to 1.1.2243.1
Zoho ManageEngine PAM 360 versions prior to 5713
Zoho ManageEngine Password Manager Pro versions prior to 12124
Zoho ManageEngine Patch Manager Plus versions prior to 10.1.2220.18
Zoho ManageEngine Remote Access Plus versions prior to 10.1.2228.11
Zoho ManageEngine Remote Monitoring and Management (RMM) versions prior to 10.1.41
Zoho ManageEngine ServiceDesk Plus MSP versions prior to 13001
Zoho ManageEngine SupportCenter Plus versions prior to 11026
Zoho ManageEngine Vulnerability Manager Plus versions prior to 10.1.2220.18
**Description**
The issue is related to the use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1 in multiple Zoho ManageEngine on-premise products, which allows remote code execution due to the xmlsec XSLT features making the application responsible for certain security protections that the ManageEngine applications did not provide. Exploitation is only possible if SAML SSO has ever been configured for a product. The vulnerability has been exploited by the North Korean state-backed hacker group Lazarus to compromise internet backbone infrastructure providers and healthcare organizations.
**Recommendations**
For Zoho ManageEngine ServiceDesk Plus versions prior to 14004, update to version 14004 or later.
For Zoho ManageEngine Access Manager Plus versions prior to 4308, update to version 4308 or later.
For Zoho ManageEngine Active Directory 360 versions prior to 4310, update to version 4310 or later.
For Zoho ManageEngine ADAudit Plus versions prior to 7081, update to version 7081 or later.
For Zoho ManageEngine ADManager Plus versions prior to 7162, update to version 7162 or later.
For Zoho ManageEngine ADSelfService Plus versions prior to 6211, update to version 6211 or later.
For Zoho ManageEngine Analytics Plus versions prior to 5150, update to version 5150 or later.
For Zoho ManageEngine Application Control Plus versions prior to 10.1.2220.18, update to version 10.1.2220.18 or later.
For Zoho ManageEngine Asset Explorer versions prior to 6983, update to version 6983 or later.
For Zoho ManageEngine Browser Security Plus versions prior to 11.1.2238.6, update to version 11.1.2238.6 or later.
For Zoho ManageEngine Device Control Plus versions prior to 10.1.2220.18, update to version 10.1.2220.18 or later.
For Zoho ManageEngine Endpoint Central versions prior to 10.1.2228.11, update to version 10.1.2228.11 or later.
For Zoho ManageEngine Endpoint Central MSP versions prior to 10.1.2228.11, update to version 10.1.2228.11 or later.
For Zoho ManageEngine Endpoint DLP versions prior to 10.1.2137.6, update to version 10.1.2137.6 or later.
For Zoho ManageEngine Key Manager Plus versions prior to 6401, update to version 6401 or later.
For Zoho ManageEngine OS Deployer versions prior to 1.1.2243.1, update to version 1.1.2243.1 or later.
For Zoho ManageEngine PAM 360 versions prior to 5713, update to version 5713 or later.
For Zoho ManageEngine Password Manager Pro versions prior to 12124, update to version 12124 or later.
For Zoho ManageEngine Patch Manager Plus versions prior to 10.1.2220.18, update to version 10.1.2220.18 or later.
For Zoho ManageEngine Remote Access Plus versions prior to 10.1.2228.11, update to version 10.1.2228.11 or later.
For Zoho ManageEngine Remote Monitoring and Management (RMM) versions prior to 10.1.41, update to version 10.1.41 or later.
For Zoho ManageEngine ServiceDesk Plus MSP versions prior to 13001, update to version 13001 or later.
For Zoho ManageEngine SupportCenter Plus versions prior to 11026, update to version 11026 or later.
For Zoho ManageEngine Vulnerability Manager Plus versions prior to 10.1.2220.18, update to version 10.1.2220.18 or later.