CVE-2025-11250 — Authentication Bypass by Spoofing in Manageengine Adselfservice Plus

CWE-290 — Authentication Bypass by Spoofing CWE-532 — Log File Information Exposure5 documents5 sources

Severity

9.1CRITICALNVD

EPSS

0.1%

top 69.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Adselfservice Plus

Timeline

PublishedJan 13

Description

Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5zohocorp/manageengine_adselfservice_plus< 6519

▶NVDzohocorp/manageengine_adselfservice_plus< 6.5+1

Patches

Patch: www.manageengine.com ↗

🔴Vulnerability Details

CVEList

Authentication Bypass↗2026-01-13

▶

GHSA

GHSA-c737-phjj-7fvf: Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations↗2026-01-13

▶

📋Vendor Advisories

Microsoft

Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9↗2020-12-08

▶

🕵️Threat Intelligence

Wiz

CVE-2025-11250 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶