CVE-2025-1723

CWE-287 — Improper Authentication CWE-476 — NULL Pointer Dereference6 documents6 sources

Severity

8.1HIGH

EPSS

0.2%

top 58.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Manageengine Adselfservice Plus Zohocorp Manageengine Adselfservice Plus

Timeline

PublishedMar 3

Latest updateDec 16

Description

Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid account holders in the setup only have the potential to exploit this bug.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶NVDzohocorp/manageengine_adselfservice_plus< 6.5+1

▶CVEListV5manageengine/adselfservice_plus< 6511

🔴Vulnerability Details

OSV

idpf: fix possible vport_config NULL pointer deref in remove↗2025-12-16

▶

CVEList

Account takeover↗2025-03-03

▶

GHSA

GHSA-qfwr-vpjx-v989: Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling↗2025-03-03

▶

📋Vendor Advisories

Red Hat

kernel: idpf: fix possible vport_config NULL pointer deref in remove↗2025-12-16

▶