Severity
High
Analysis Summary
CVE-2025-41403 CVSS:8.3
Zoho ManageEngine ADAudit Plus is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements while fetching service account audit data, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVE-2025-3836 CVSS:8.3
Zoho ManageEngine ADAudit Plus is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements to the logon events aggregate report, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVE-2025-3444 CVSS:6.5
Zoho ManageEngine ServiceDesk Plus and SupportCenter Plus could allow a remote authenticated attacker to include arbitrary files, caused by improper validation of user requests. An attacker could send a specially crafted URL request to the Admin module to specify a malicious file from the local system, which could allow the attacker to obtain sensitive information from the vulnerable Web server.
CVE-2025-3834 CVSS:8.1
Zoho ManageEngine ADAudit Plus is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements to the OU History report, which could allow the attacker to view, add, modify or delete information in the back-end database.
Impact
- Gain Access
- Data Manipulation
Indicators of Compromise
CVE
CVE-2025-41403
CVE-2025-3836
CVE-2025-3444
CVE-2025-3834
Affected Vendors
Affected Products
- Zoho ManageEngine ADAudit Plus - 8510
- Zoho ManageEngine ServiceDesk Plus MSP - 14910
- Zoho ManageEngine SupportCenter Plus - 14910
Remediation
Refer to Zoho ManageEngine Security Advisory for patch, upgrade, or suggested workaround information.