CVE-2025-1723
📋 TL;DR
ManageEngine ADSelfService Plus versions 6510 and below have a session handling vulnerability that allows account takeover. Only valid account holders in the setup can exploit this bug, potentially compromising other user accounts within the system.
💻 Affected Systems
- Zohocorp ManageEngine ADSelfService Plus
📦 What is this software?
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
Manageengine Adselfservice Plus by Zohocorp
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could take over administrative accounts, leading to complete system compromise, data exfiltration, and lateral movement across the network.
Likely Case
Privileged users exploiting the vulnerability to escalate privileges or access sensitive information they shouldn't have access to.
If Mitigated
Limited impact with proper access controls, monitoring, and network segmentation in place.
🎯 Exploit Status
Requires valid account credentials within the system to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 6511 or later
Vendor Advisory: https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-1723.html
Restart Required: Yes
Instructions:
1. Download the latest version from ManageEngine's website. 2. Backup your current installation. 3. Run the installer to upgrade to version 6511 or later. 4. Restart the ADSelfService Plus service.
🔧 Temporary Workarounds
Restrict Access
allLimit access to ADSelfService Plus to only trusted networks and users.
Monitor User Sessions
allImplement enhanced session monitoring and alerting for suspicious activities.
🧯 If You Can't Patch
- Implement strict access controls and network segmentation to isolate the ADSelfService Plus instance.
- Enable detailed logging and monitoring for all authentication and session management events.
🔍 How to Verify
Check if Vulnerable:
Check the ADSelfService Plus version in the web interface under Help > About or via the installation directory.Check Version:
On Windows: Check the version in the web interface. On Linux: Check the version file in the installation directory.Verify Fix Applied:
Verify the version is 6511 or later after applying the patch.📡 Detection & Monitoring
Log Indicators:
- Unusual session creation patterns
- Multiple failed login attempts followed by successful logins from same IP
- Session hijacking attempts in logs
Network Indicators:
- Unusual authentication traffic patterns to ADSelfService Plus
SIEM Query:
source="ADSelfService Plus" AND (event_type="session_hijack" OR multiple_sessions_from_same_user)