module

ManageEngine Endpoint Central Unauthenticated SAML RCE

Try Surface Command
Back to search
Disclosed
2023-01-10
Created
2023-02-09

Description

This exploits an unauthenticated remote code execution vulnerability
that affects Zoho ManageEngine Endpoint Central and MSP versions 10.1.2228.10
and below (CVE-2022-47966). Due to a dependency to an outdated library
(Apache Santuario version 1.4.1), it is possible to execute arbitrary
code by providing a crafted `samlResponse` XML to the Endpoint Central
SAML endpoint. Note that the target is only vulnerable if it is
configured with SAML-based SSO , and the service should be active.

Authors

Khoa Dinh
horizon3ai
Christophe De La Fuente
h00die-gr3y h00die.gr3y@gmail.com

Platform

Java,Windows

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966
    msf exploit(manageengine_endpoint_central_saml_rce_cve_2022_47966) > show targets
        ...targets...
    msf exploit(manageengine_endpoint_central_saml_rce_cve_2022_47966) > set TARGET < target-id >
    msf exploit(manageengine_endpoint_central_saml_rce_cve_2022_47966) > show options
        ...show and set options...
    msf exploit(manageengine_endpoint_central_saml_rce_cve_2022_47966) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today