Zohocorp ManageEngine: Multiple Security Vulnerabilities in Various Products
Multiple vulnerability reports have been released regarding flaws in several Zohocorp ManageEngine products. Updates are available.
(Image: JLStock/Shutterstock.com)
Several partly critical vulnerabilities have been discovered in multiple Zohocorp ManageEngine products. The company has now published vulnerability entries for them. Software updates to close the security gaps are available.
In Zohocorp ManageEngine Analytics Plus, attackers can exploit an SQL injection vulnerability without prior authentication, stemming from insufficient filter configuration. This could allow attackers to take over accounts, as the manufacturer writes. Versions 6170 and older are affected (CVE-2025-8324), CVSS 9.8, risk “critical.”) Analytics Plus on-premise build 6171 from August corrects the error.
In Application Manager up to and including version 178100, insufficient configuration in the “Execute Program” function allows attackers – however, after prior login – to inject commands (CVE-2025-9223), CVSS 8.8, risk “high.”) The vulnerability description from the manufacturer clarifies that a blacklist of forbidden commands can be bypassed. In versions 178001 to 178009 and 178200, the developers have corrected this.
Further vulnerable products
In Exchange Reporter Plus up to and including version 5723, there are four Stored Cross-Site Scripting vulnerabilities. According to the developers' assessment, attackers can, for example, create accounts with elevated privileges and gain unauthorized access to them (CVE-2025-7429), (CVE-2025-7430), (CVE-2025-7432), (CVE-2025-7433); all CVSS 7.3, risk “high.”) Error-corrected software has been available with build 5724 and newer since the end of July.
Videos by heise
Another security vulnerability is found in OpManager up to and including version 128609 and other versions. In SNMP trap processing, attackers can exploit a Stored Cross-Site Scripting vulnerability (CVE-2025-9227), CVSS 6.5, risk “medium.”) Since the end of August, administrators can close the security vulnerability by updating to OpManager, OpManager Enterprise Edition, OpManager Plus, OpManager Plus Enterprise Edition, and OpManager MSP 128610, 128598, 128543, and 128466, respectively. Attackers could exploit the vulnerability to take over the admin's CSRF and session token, thereby setting up a reverse shell and executing arbitrary code on the server, as the manufacturer explains.
At the end of May, the company closed highly risky security vulnerabilities in ManageEngine ADAudit Plus”>security vulnerabilities in ManageEngine ADAudit Plus.
(dmk)
