Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
6DescriptionCVE.org
Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in Service Account Auditing reports.
AnalysisAI
CVE-2025-36528 is an authenticated SQL injection vulnerability in Zohocorp ManageEngine ADAudit Plus versions 8510 and earlier, affecting the Service Account Auditing reports functionality. An authenticated attacker with low privileges can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data disclosure, data modification, or partial denial of service. With a CVSS score of 8.3 and network-accessible attack vector, this represents a significant risk to organizations using affected versions, particularly in environments where administrative audit logs contain sensitive credentials and access patterns.
Technical ContextAI
CVE-2025-36528 exploits CWE-89 (SQL Injection) within ManageEngine ADAudit Plus, a privileged account governance and auditing solution that monitors Active Directory and service account activities. The vulnerability exists in the Service Account Auditing reports module, which likely constructs SQL queries dynamically using unsanitized user input from report filters or parameters. ADAudit Plus uses a backend database (typically SQL Server or MySQL depending on deployment) to store audit logs and configuration data. The root cause is insufficient input validation and parameterized query usage in the reporting engine, allowing attackers to break out of intended SQL query syntax and inject malicious commands. This is particularly dangerous given ADAudit Plus's role in storing sensitive credential audit trails and access logs.
RemediationAI
Immediate remediation steps: (1) Upgrade ManageEngine ADAudit Plus to version 8511 or later (patch version details should be confirmed via Zohocorp security advisory); (2) If immediate patching is not feasible, implement network-level access controls restricting access to the ADAudit Plus web interface and APIs to trusted administrative networks only; (3) Disable or restrict access to Service Account Auditing reports for non-administrative users; (4) Implement database-level SQL query logging and intrusion detection signatures to monitor for SQL injection attempts (look for SQL keywords: UNION, SELECT, INSERT, DROP, etc. in report parameters); (5) Enforce strong authentication (multi-factor authentication) for ADAudit Plus user accounts to reduce insider threat risk. Consult Zohocorp's official security advisory at 'https://www.manageengine.com/adaudit-plus/security-advisory.html' (expected location for vendor advisories) for patch availability and detailed upgrade procedures.
Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remot
The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attackers to upload and e
Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers
ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser a
PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL q
Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8
ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions
Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows rem
Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in Z
SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central
The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the path
Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17451