Windows - Security - Mitigate CVE-2022-47966

What the CVE-2022-47966 mitigation Worklet does

This Automox Worklet™ creates Windows Firewall rules to protect endpoints from active exploitation of CVE-2022-47966, a critical vulnerability affecting various ManageEngine products. The Worklet blocks inbound traffic on ports 80 and 443, preventing web-based attacks against vulnerable services.

The Worklet also blocks all inbound and outbound communications with 15 IP addresses confirmed by CISA to have been used in attacks exploiting this vulnerability. This network-level isolation prevents both initial compromise and command-and-control communications if the endpoint is already compromised.

Important warnings: This Worklet will enable the Windows Firewall service if disabled. If no firewall profiles are enabled, it enables the Public profile. Blocking ports 80 and 443 inbound will make any web services hosted on the endpoint unavailable.

Why block CVE-2022-47966 attack vectors

CVE-2022-47966 affects multiple ManageEngine products and allows unauthenticated remote code execution. APT actors have actively exploited this vulnerability against organizations running vulnerable ManageEngine installations.

CISA documented specific threat actor infrastructure used in these attacks. Blocking these IP addresses at the firewall level provides immediate protection while you work on patching affected applications.

This Worklet serves as emergency mitigation when patching cannot happen immediately. Use it alongside your patch management process to reduce risk during the remediation window.

How CVE-2022-47966 network blocking works

1. Evaluation phase: The Worklet exits with code 0, always triggering remediation for manual execution. This Worklet is designed to run on-demand through FixNow or policy execution rather than scheduled compliance checks.

2. Remediation phase: The Worklet verifies the Windows Firewall service is running, starting it if necessary. It enables the Public firewall profile if no profiles are active. It then creates inbound block rules for TCP ports 80 and 443, plus inbound and outbound block rules for each known malicious IP address. Rules are named with [AUTOMOX WORKLET] prefix for identification.

CVE-2022-47966 mitigation requirements

• Windows servers or workstations potentially running ManageEngine products

• Windows Firewall service must be available (will be started automatically)

• Administrative privileges to manage firewall rules

• Understand impact: blocks all inbound web traffic on ports 80 and 443

• Parameter: Revert (set to true to remove all firewall rules created by this Worklet)

Expected firewall protection state

After remediation, the Windows Firewall contains rules blocking inbound TCP traffic on ports 80 and 443, plus 30 additional rules blocking inbound and outbound traffic to known malicious IP addresses. You can view these rules in Windows Firewall with Advanced Security, identified by the [AUTOMOX WORKLET] prefix. You can verify this change through the Automox Activity Log or by checking the endpoint configuration directly.

Web services hosted on the protected endpoint become unavailable to external clients. After patching CVE-2022-47966, run this Worklet again with the Revert parameter set to true to remove the firewall rules and restore normal network operations.

How to validate mitigate cve-2022-47966 changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for mitigate cve-2022-47966.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as the evaluation and remediation scripts.

4. Validate remediation effects from script operations such as Get-Service, Where-Object, Select-Object, then rerun evaluation for compliance.