Skip to main content

Zoho CVE-2025-3835

| EUVDEUVD-2025-17446 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2025-06-09 0fc0942c-577d-436f-ae8e-945763c79b02
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:55 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
5722
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17446
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
CVE Published
Jun 09, 2025 - 11:15 nvd
CRITICAL 9.6

DescriptionCVE.org

Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior are vulnerable to Remote code execution in the Content Search module.

AnalysisAI

Critical remote code execution vulnerability in Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior, exploitable through the Content Search module without authentication. An attacker can achieve arbitrary code execution with high confidentiality, integrity, and availability impact across the system boundary (CVSS 9.6). This vulnerability requires user interaction (UI=R) and involves improper file upload handling (CWE-434); active exploitation status and POC availability require verification through CISA KEV and public disclosures.

Technical ContextAI

CVE-2025-3835 stems from CWE-434 (Unrestricted Upload of File with Dangerous Type), a classic file upload vulnerability where the Content Search module in ManageEngine Exchange Reporter Plus fails to properly validate or restrict uploaded file types. The vulnerability likely exists in the web-facing search functionality that processes user-submitted content without adequate input validation, allowing attackers to upload and execute arbitrary files (potentially executable code, web shells, or scripts) on the server. Exchange Reporter Plus is ManageEngine's reporting and analytics solution for Microsoft Exchange environments, making the Content Search module a critical interface. The affected product CPE would be: cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:* with version constraint <=5721. The vulnerability is network-accessible (AV:N) with low attack complexity (AC:L), but requires user interaction (UI:R), suggesting a social engineering or victim-initiated upload component.

RemediationAI

Immediate remediation steps: (1) Identify and inventory all ManageEngine Exchange Reporter Plus installations, noting version numbers; (2) Upgrade to the latest patched version released by Zohocorp (expected to be >5721; confirm via Zohocorp security bulletins at https://www.manageengine.com/security or vendor communications); (3) If immediate patching is not feasible, implement compensating controls: (a) Restrict network access to the Exchange Reporter Plus UI using firewall rules or VPN authentication, (b) Disable or restrict the Content Search module if operationally acceptable, (c) Monitor uploaded files and Content Search activity logs for suspicious patterns, (d) Apply principle of least privilege to service accounts; (4) Review access logs for evidence of prior exploitation; (5) Monitor Zohocorp's official security advisory pages and CISA alerts for patch release announcements and detailed remediation guidance; (6) Test patches in a non-production environment before enterprise rollout.

More in Zoho

View all
CVE-2016-6600 CRITICAL POC
9.8 Jan 23

Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remot

CVE-2015-8249 CRITICAL POC
9.8 Sep 28

The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attackers to upload and e

CVE-2014-5005 HIGH POC
7.5 Oct 21

Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers

CVE-2015-7765 CRITICAL POC
9.0 Oct 09

ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser a

CVE-2015-7766 CRITICAL POC
9.0 Oct 09

PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL q

CVE-2014-6037 HIGH POC
7.5 Oct 26

Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8

CVE-2015-7387 HIGH POC
7.5 Sep 28

ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions

CVE-2016-6601 HIGH POC
7.5 Jan 23

Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows rem

CVE-2014-6034 MEDIUM POC
5.0 Dec 04

Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in Z

CVE-2014-3996 HIGH POC
7.5 Dec 05

SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central

CVE-2017-11512 HIGH POC
7.5 Nov 08

The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the path

CVE-2014-7866 HIGH POC
7.5 Dec 10

Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and

Share

CVE-2025-3835 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy