CVE-2025-11670
📋 TL;DR
ManageEngine ADManager Plus versions before 8025 expose NTLM hashes to technicians with 'Impersonate as Admin' privileges. This allows authenticated technicians to potentially obtain password hashes that could be used for lateral movement or privilege escalation. Only organizations using ADManager Plus with this specific permission enabled are affected.
💻 Affected Systems
- Zohocorp ManageEngine ADManager Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Technician with 'Impersonate as Admin' privilege obtains domain administrator NTLM hashes, enabling pass-the-hash attacks to compromise the entire Active Directory domain.
Likely Case
Malicious or compromised technician with appropriate permissions extracts NTLM hashes of regular user accounts, enabling lateral movement within the network.
If Mitigated
With proper access controls and monitoring, hash exposure is detected and contained before exploitation occurs.
🎯 Exploit Status
Exploitation requires authenticated technician access with 'Impersonate as Admin' privilege. The vulnerability appears to be an information disclosure flaw in how the software handles authentication data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8025
Vendor Advisory: https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2025-11670.html
Restart Required: Yes
Instructions:
1. Download ADManager Plus version 8025 or later from ManageEngine website. 2. Stop the ADManager Plus service. 3. Install the update. 4. Restart the service. 5. Verify the version is now 8025 or higher.
🔧 Temporary Workarounds
Disable Impersonate as Admin
allRemove 'Impersonate as Admin' permission from all technician accounts to prevent exploitation.
Navigate to ADManager Plus Admin Console > User Management > Technician Roles > Edit role > Uncheck 'Impersonate as Admin'
🧯 If You Can't Patch
- Immediately review and restrict 'Impersonate as Admin' permissions to only absolutely necessary personnel
- Implement enhanced monitoring and logging for technician activities, especially authentication-related operations
🔍 How to Verify
Check if Vulnerable:
Check ADManager Plus version in Admin Console > About. If version is below 8025 and 'Impersonate as Admin' is enabled for any technician, the system is vulnerable.Check Version:
Check version in ADManager Plus web interface or via 'java -jar admanager.jar -version' in installation directoryVerify Fix Applied:
Verify version is 8025 or higher in Admin Console > About and confirm 'Impersonate as Admin' permissions are properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication events from technician accounts
- Multiple NTLM authentication attempts from single source
- Technician accounts accessing privileged authentication functions
Network Indicators:
- Unusual NTLM traffic patterns from ADManager Plus server
- Authentication requests to unexpected systems
SIEM Query:
source="ADManager Plus" AND (event_type="authentication" OR event_type="impersonation") AND user_role="technician"