Detect CVE-2022-47966 Exploits: Critical Zoho ManageEngine RCE Vulnerability Under Active Exploitation

Another day, another critical RCE making rounds in the cyberthreat arena. This time security practitioners are urged to patch ASAP against a critical remote code execution bug (CVE-2022-47966) affecting multiple Zoho ManageEngine products. Since the proof of concept (PoC) exploit was publicly released last week, experts have observed a huge spike of in-the-wild attacks leveraging the vulnerability in the spotlight.

CVE-2022-47966 Detection

ManageEngine products are widely adopted by enterprises globally to perform authentication, authorizations, and identity management functions. Given the nature of this software and in view of the massive wave of in-the-wild exploitations, the vulnerability in question poses a significant risk to organizations. To proactively secure your infrastructure from potential attacks, SOC Prime’s Detection as Code Platform offers a batch of Sigma rules detecting the malicious activity associated with CVE-2022-47966 exploitation. 

All detections are compatible with 25+ SIEM, EDR, and XDR technologies and are aligned with the MITRE ATT&CK® framework v12, addressing the Initial Access and Execution tactics with Exploit Public-Facing Application (T1190) and Command and Scripting Interpreter (T1059) as corresponding techniques. 

Press the Explore Detections button to instantly access the whole set of Sigma rules for CVE-2022-47966, corresponding CTI links, ATT&CK references, threat hunting ideas, and detection engineering guidance.

Explore Detections

CVE-2022-47966 Analysis

Initially discovered by the Viettel Cyber Security researcher, the vulnerability was brought to light in November 2022 after Zoho announced patches for 24 on-premises products. Tracked as CVE-2022-47966, the bug received a critical severity status enabling an unauthenticated adversary to execute malicious code on the system. 

The issue stems from an insecure third-party dependency on the Apache Santuario library that is used to implement security standards for XML. Notably, the flaw is exploitable only in case SAML single sign-on is currently on or has been enabled within affected products. Attackers need to craft a malicious SAML request with an invalid signature to trigger the exploit. Further, the threat actor is able to gain complete control of the system, dump credentials, and move laterally across the environment. 

On January 19, 2023, released an in-depth technical overview of the CVE-2022-47966 alongside the PoC exploit for it. Simultaneously, Rapid7 researchers reported several related compromises observed since at least January 17. This means attackers were able to exploit the bug even prior to the official PoC release relying on it to disable Microsoft Defender Antivirus protections and drop additional remote access tools.  

Given the growing number of exploitations in the wild, organizations are prompted to review the unpatched systems and immediately upgrade to secure versions of the Zoho ManageEngine products. ManageEngine’s security advisory might be found here.

The critical CVE-2022-47966 bug is being added to the top of the list of critical vulnerabilities discovered in Zoho ManageEngine products during the last year. To stay ahead of emerging attacks, security practitioners can reach over 700 Sigma rules for ManageEngine and other notorious CVEs by leveraging collective cyber defense. Get 120+ Sigma rules for free at or the entire detection stack with On Demand at

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts