Zoho ManageEngine ServiceDesk Plus SAMLResponse command execution

Added: 02/17/2023

Background

Zoho ManageEngine ServiceDesk Plus is IT helpdesk software.

Problem

A vulnerability in an outdated Apache Santuario library in ServiceDesk Plus allows a remote, unauthenticated attacker to execute arbitrary commands by sending a specially crafted SAMLResponse parameter to the SAML endpoint.

Resolution

Upgrade to ServiceDesk Plus 14004 or higher.

References

https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html
https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/

Limitations

The target must have been configured with SAML-based SSO at least once in the past in order to be exploitable.

Platforms

Windows

Back to exploit index