Multiple IBM Aspera Faspex Vulnerabilities
May 23, 2025Multiple Mozilla Firefox Vulnerabilities
May 23, 2025Multiple IBM Aspera Faspex Vulnerabilities
May 23, 2025Multiple Mozilla Firefox Vulnerabilities
May 23, 2025Severity
High
Analysis Summary
CVE-2025-41403 CVSS:8.3
Zoho ManageEngine ADAudit Plus is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements while fetching service account audit data, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVE-2025-3836 CVSS:8.3
Zoho ManageEngine ADAudit Plus is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements to the logon events aggregate report, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVE-2025-3444 CVSS:6.5
Zoho ManageEngine ServiceDesk Plus and SupportCenter Plus could allow a remote authenticated attacker to include arbitrary files, caused by improper validation of user requests. An attacker could send a specially crafted URL request to the Admin module to specify a malicious file from the local system, which could allow the attacker to obtain sensitive information from the vulnerable Web server.
CVE-2025-3834 CVSS:8.1
Zoho ManageEngine ADAudit Plus is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements to the OU History report, which could allow the attacker to view, add, modify or delete information in the back-end database.
Impact
- Gain Access
- Data Manipulation
Indicators of Compromise
CVE
CVE-2025-41403
CVE-2025-3836
CVE-2025-3444
CVE-2025-3834
Affected Vendors
Affected Products
- Zoho ManageEngine ADAudit Plus - 8510
- Zoho ManageEngine ServiceDesk Plus MSP - 14910
- Zoho ManageEngine SupportCenter Plus - 14910
Remediation
Refer to Zoho ManageEngine Security Advisory for patch, upgrade, or suggested workaround information.