EUVD-2025-17451CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
3Description
Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in Service Account Auditing reports.
Analysis
CVE-2025-36528 is an authenticated SQL injection vulnerability in Zohocorp ManageEngine ADAudit Plus versions 8510 and earlier, affecting the Service Account Auditing reports functionality. An authenticated attacker with low privileges can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data disclosure, data modification, or partial denial of service. With a CVSS score of 8.3 and network-accessible attack vector, this represents a significant risk to organizations using affected versions, particularly in environments where administrative audit logs contain sensitive credentials and access patterns.
Technical Context
CVE-2025-36528 exploits CWE-89 (SQL Injection) within ManageEngine ADAudit Plus, a privileged account governance and auditing solution that monitors Active Directory and service account activities. The vulnerability exists in the Service Account Auditing reports module, which likely constructs SQL queries dynamically using unsanitized user input from report filters or parameters. ADAudit Plus uses a backend database (typically SQL Server or MySQL depending on deployment) to store audit logs and configuration data. The root cause is insufficient input validation and parameterized query usage in the reporting engine, allowing attackers to break out of intended SQL query syntax and inject malicious commands. This is particularly dangerous given ADAudit Plus's role in storing sensitive credential audit trails and access logs.
Affected Products
Zohocorp ManageEngine ADAudit Plus versions 8510 and all prior versions are vulnerable. Affected CPE identifiers include: 'cpe:2.3:a:zohocrp:manageengine_adaudit_plus:*:*:*:*:*:*:*:*' (versions up to and including 8510). The vulnerability specifically impacts the Service Account Auditing reports module, meaning any installation performing service account auditing and exposing reports through the web interface or API is at risk. On-premises deployments are directly affected; cloud-hosted versions depend on Zohocorp's patch deployment timeline. Organizations should verify their exact version via ManageEngine ADAudit Plus Administration console > Help > About.
Remediation
Immediate remediation steps: (1) Upgrade ManageEngine ADAudit Plus to version 8511 or later (patch version details should be confirmed via Zohocorp security advisory); (2) If immediate patching is not feasible, implement network-level access controls restricting access to the ADAudit Plus web interface and APIs to trusted administrative networks only; (3) Disable or restrict access to Service Account Auditing reports for non-administrative users; (4) Implement database-level SQL query logging and intrusion detection signatures to monitor for SQL injection attempts (look for SQL keywords: UNION, SELECT, INSERT, DROP, etc. in report parameters); (5) Enforce strong authentication (multi-factor authentication) for ADAudit Plus user accounts to reduce insider threat risk. Consult Zohocorp's official security advisory at 'https://www.manageengine.com/adaudit-plus/security-advisory.html' (expected location for vendor advisories) for patch availability and detailed upgrade procedures.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today