Update for ManageEngine ADAudit Plus fixes high-risk security vulnerabilities

There are two security vulnerabilities in the ManageEngine ADAudit Plus management software from Zohocorp that the developers classify as high-risk. Updates are available. IT managers should check whether their instances are up-to-date.

Both vulnerabilities are SQL injection vulnerabilities. “An SQL injection vulnerability affecting the API responsible for fetching data related to the ADAudit Plus OU history report has been corrected,” Zoho writes in the first security alert(CVE-2025-41407 / no EUVD, CVSS 8.3, risk “high”). Zoho describes the potential impact as: “This vulnerability could allow authenticated adversaries to execute their queries and access database table entries with the vulnerable query.”

Two similar vulnerabilities

Zoho provides the same vulnerability description for the second vulnerability – it impacts another API: “An SQL injection vulnerability impacts an API responsible for exporting ADAudit Plus reports”(CVE-2025-36527 / no EUVD, CVSS 8.3, risk “high”). The impact is identical to the first vulnerability.

ManageEngine ADAudit Plus before build 8511 is vulnerable to such attacks. This and newer versions patch the two vulnerabilities. They are available for download on the Zohocorp service pack website. The correction was already made on May 9, but the vulnerability reports became public on the weekend.

Most recently, Zohocorp had to patch a security vulnerability in the web-based identity management software ADSelfService Plus. Attackers would otherwise have been able to take over accounts through the vulnerability, which was classified as high risk. The company's developers cited faulty session handling as the cause.

(dmk)