Manageengine Adselfservice Plus vulnerabilities

CVE-2025-3833 [HIGH] CWE-89 CVE-2025-3833: Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports.

CVE-2025-1723 [HIGH] CWE-287 CVE-2025-1723: Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid account holders in the setup only have the potential to exploit this bug.

CVE-2024-27310 [MEDIUM] CWE-90 CVE-2024-27310: Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input.

CVE-2024-0252 [HIGH] CWE-94 CVE-2024-0252: ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability.

CVE-2023-35719 [MEDIUM] CWE-345 CVE-2023-35719: ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentic ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability. The specific flaw