CVE-2025-1724
📋 TL;DR
This vulnerability allows attackers to take over AD-only accounts in Zoho Analytics products due to a hardcoded sensitive token. It affects on-premise installations of ManageEngine Analytics Plus and Zoho Analytics versions older than 6130. Attackers could gain unauthorized access to sensitive data and administrative functions.
💻 Affected Systems
- ManageEngine Analytics Plus
- Zoho Analytics On-Premise
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of AD-integrated accounts leading to data exfiltration, privilege escalation, and full system takeover.
Likely Case
Unauthorized access to sensitive business analytics data and potential lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation and access controls prevent exploitation attempts.
🎯 Exploit Status
Exploitation requires knowledge of the hardcoded token and AD integration configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 6130 or later
Vendor Advisory: https://www.manageengine.com/analytics-plus/CVE-2025-1724.html
Restart Required: No
Instructions:
1. Download version 6130 or later from Zoho/ManageEngine portal. 2. Backup current installation. 3. Run the installer to upgrade. 4. Verify successful upgrade and functionality.
🔧 Temporary Workarounds
Disable AD Integration
allTemporarily disable Active Directory integration to prevent account takeover via this vulnerability.
Network Isolation
allRestrict network access to vulnerable instances using firewalls or network segmentation.
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to trusted IPs only.
- Monitor authentication logs for suspicious AD account activity and implement alerting.
🔍 How to Verify
Check if Vulnerable:
Check the installed version in the application's About section or admin panel. If version is below 6130, the system is vulnerable.Check Version:
Check via web interface: Admin Panel → About or System InformationVerify Fix Applied:
After patching, verify the version shows 6130 or higher and test AD authentication functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts from unexpected IPs
- Multiple failed AD login attempts followed by successful access
- Administrative actions performed by non-admin users
Network Indicators:
- Unusual outbound connections from analytics server
- Traffic patterns suggesting data exfiltration
SIEM Query:
source="analytics-plus" AND (event_type="authentication" AND result="success" AND user="*@domain") | stats count by src_ip, user