Rapid7 Vulnerability & Exploit Database

ManageEngine ADSelfService Plus Unauthenticated SAML RCE

Back to Search

ManageEngine ADSelfService Plus Unauthenticated SAML RCE



This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine AdSelfService Plus versions 6210 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted `samlResponse` XML to the ADSelfService Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.


  • Khoa Dinh
  • horizon3ai
  • Christophe De La Fuente




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966
msf exploit(manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > show targets
msf exploit(manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > set TARGET < target-id >
msf exploit(manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > show options
    ...show and set options...
msf exploit(manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security