CVE-2025-11250
published 2026-01-13CVE-2025-11250: Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations.
PriorityP263critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
1.42%
69.5th percentile
Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | azl3_local-path-provisioner_0.0.24-5_on_azure_linux_3.0 | — | — |
| msrc | cm1_kubernetes_1.17.13-5_on_cbl_mariner_1.0 | — | — |
| zohocorp | manageengine_adselfservice_plus | < 6519 | 6519 |
| zohocorp | manageengine_adselfservice_plus | < 6.5 | 6.5 |
| zohocorp | manageengine_adselfservice_plus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- ·Vulnerability affects Zohocorp ManageEngine ADSelfService Plus versions before 6519; upgrade to 6519 or later to remediate the authentication bypass. ↗
- ·The root cause is improper filter configurations, meaning security filter rules in the application are misconfigured and can be bypassed — review and harden servlet/filter chain configurations. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_msrc5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c737-phjj-7fvf: Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations
ghsa_unreviewed·2026-01-13
CVE-2025-11250 [CRITICAL] CWE-290 GHSA-c737-phjj-7fvf: Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations
Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations.
Microsoft
Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
vendor_msrc·2020-12-08·CVSS 5.5
CVE-2020-8565 [MEDIUM] CWE-532 Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
kubernetes: kubernetes
Customer Action Required: Yes
Remediation: CBL-Marin
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-1367 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-1367 [MEDIUM] CVE-2026-1367 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1367 :
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation
Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.
Source : NVD
## 8.3
Score
Published February 23, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
Zoho ManageEngine ADSelfService Plus
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 54.7
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus
Sources
NVD
Windows Severity HIGH Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your clou
Wiz
CVE-2025-11250 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2025-11250 [MEDIUM] CVE-2025-11250 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11250 :
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation
Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations.
Source : NVD
## 9.1
Score
Published January 13, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Zoho ManageEngine ADSelfService Plus
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus
Sources
Windows Severity CRITICAL Has Fix Added at: Jan 14, 2026
Windows Severity CRITICAL Has Fix Added at: Jan 30, 2026
## Get a CVE
2026-01-13
Published