VERY IMPORTANT

CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability impacting at least 24 on-premise ManageEngine products. CVE-2022-47966 stems from a vulnerable third-party dependency on Apache Santuario. Several of the affected products are extremely popular with organizations and attackers, including ADSelfService Plus and ServiceDesk Plus. Patches were released in October and November of 2022; the exact timing of fixed version releases varies by product.