EUVD-2025-17446
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Description
Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior are vulnerable to Remote code execution in the Content Search module.
Analysis
Critical remote code execution vulnerability in Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior, exploitable through the Content Search module without authentication. An attacker can achieve arbitrary code execution with high confidentiality, integrity, and availability impact across the system boundary (CVSS 9.6). This vulnerability requires user interaction (UI=R) and involves improper file upload handling (CWE-434); active exploitation status and POC availability require verification through CISA KEV and public disclosures.
Technical Context
CVE-2025-3835 stems from CWE-434 (Unrestricted Upload of File with Dangerous Type), a classic file upload vulnerability where the Content Search module in ManageEngine Exchange Reporter Plus fails to properly validate or restrict uploaded file types. The vulnerability likely exists in the web-facing search functionality that processes user-submitted content without adequate input validation, allowing attackers to upload and execute arbitrary files (potentially executable code, web shells, or scripts) on the server. Exchange Reporter Plus is ManageEngine's reporting and analytics solution for Microsoft Exchange environments, making the Content Search module a critical interface. The affected product CPE would be: cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:* with version constraint <=5721. The vulnerability is network-accessible (AV:N) with low attack complexity (AC:L), but requires user interaction (UI:R), suggesting a social engineering or victim-initiated upload component.
Affected Products
Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior. Specific affected versions include all releases from the product's inception through version 5721. The Content Search module is the attack vector. CPE: cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:* (version <=5721). Organizations should verify their exact installed version; patch availability and fixed versions (likely 5722 or higher) must be confirmed through Zohocorp's official security advisories. No specific configuration or deployment model appears to limit exposure—any deployment of Exchange Reporter Plus <=5721 with the Content Search module enabled is affected.
Remediation
Immediate remediation steps: (1) Identify and inventory all ManageEngine Exchange Reporter Plus installations, noting version numbers; (2) Upgrade to the latest patched version released by Zohocorp (expected to be >5721; confirm via Zohocorp security bulletins at https://www.manageengine.com/security or vendor communications); (3) If immediate patching is not feasible, implement compensating controls: (a) Restrict network access to the Exchange Reporter Plus UI using firewall rules or VPN authentication, (b) Disable or restrict the Content Search module if operationally acceptable, (c) Monitor uploaded files and Content Search activity logs for suspicious patterns, (d) Apply principle of least privilege to service accounts; (4) Review access logs for evidence of prior exploitation; (5) Monitor Zohocorp's official security advisory pages and CISA alerts for patch release announcements and detailed remediation guidance; (6) Test patches in a non-production environment before enterprise rollout.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today