CVE-2025-3444

CWE-434 — Unrestricted File Upload CWE-125 — Out-of-bounds Read4 documents4 sources

Severity

6.5MEDIUM

EPSS

1.5%

top 18.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Manageengine Servicedesk Plus MSP Manageengine Supportcenter Plus Zohocorp Manageengine Servicedesk Plus MSP +1 more

Timeline

PublishedMay 22

Description

Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is loaded.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶NVDzohocorp/manageengine_supportcenter_plus14.8+1

▶NVDzohocorp/manageengine_servicedesk_plus_msp14.8+1

▶CVEListV5manageengine/supportcenter_plus< 14920

▶CVEListV5manageengine/servicedesk_plus_msp< 14920

🔴Vulnerability Details

CVEList

Local File Inclusion↗2025-05-22

▶

GHSA

GHSA-mjxx-858f-xw63: Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in t↗2025-05-22

▶

📋Vendor Advisories

Microsoft

Linux kernel bpf verifier incorrect mod32 truncation↗2021-03-09

▶