CVE-2025-3833
published 2025-05-14CVE-2025-3833: Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports.
PriorityP265high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
27.77%
97.8th percentile
Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| manageengine | adselfservice_plus | < 6514 | 6514 |
| msrc | azl3_openwsman_2.6.8-13_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_openwsman_2.6.8-13_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| zohocorp | manageengine_adselfservice_plus | < 6.5 | 6.5 |
| zohocorp | manageengine_adselfservice_plus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-3833 is an authenticated SQL injection vulnerability in the MFA reports feature of ManageEngine ADSelfService Plus. Monitor for anomalous SQL syntax in requests targeting MFA report endpoints from authenticated sessions. ↗
- ·Vulnerability only affects ADSelfService Plus versions 6513 and prior; versions after 6513 contain the fix. Confirm patched version is deployed. ↗
- ·Exploitation requires authentication; focus detection efforts on authenticated user sessions interacting with MFA report functionality. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vendor_msrc7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r263-h39v-v2j9: Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports
ghsa_unreviewed·2025-05-14
CVE-2025-3833 [HIGH] CWE-89 GHSA-r263-h39v-v2j9: Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports
Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports.
Microsoft
Openwsman versions up to and including 2.6.9 are vulnerable to infinite loop in process_connection() when parsing specially crafted HTTP requests. A remote unauthenticated attacker can exploit this vu
vendor_msrc·2019-03-12·CVSS 7.5
CVE-2019-3833 [HIGH] CWE-835 Openwsman versions up to and including 2.6.9 are vulnerable to infinite loop in process_connection() when parsing specially crafted HTTP requests. A remote unauthenticated attacker can exploit this vu
Openwsman versions up to and including 2.6.9 are vulnerable to infinite loop in process_connection() when parsing specially crafted HTTP requests. A remote unauthenticated attacker can exploit this vulnerability by sending malicious HTTP request to cause denial of service to openwsman server.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-1367 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-1367 [MEDIUM] CVE-2026-1367 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1367 :
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation
Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.
Source : NVD
## 8.3
Score
Published February 23, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
Zoho ManageEngine ADSelfService Plus
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 54.7
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus
Sources
NVD
Windows Severity HIGH Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your clou
Wiz
CVE-2025-11250 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2025-11250 [MEDIUM] CVE-2025-11250 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11250 :
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation
Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations.
Source : NVD
## 9.1
Score
Published January 13, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Zoho ManageEngine ADSelfService Plus
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus
Sources
Windows Severity CRITICAL Has Fix Added at: Jan 14, 2026
Windows Severity CRITICAL Has Fix Added at: Jan 30, 2026
## Get a CVE
2025-05-14
Published