CVE-2025-36527
📋 TL;DR
This SQL injection vulnerability in ManageEngine ADAudit Plus allows attackers to execute arbitrary SQL commands when exporting reports. Organizations using versions below 8511 are affected, potentially exposing sensitive Active Directory audit data.
💻 Affected Systems
- ManageEngine ADAudit Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, privilege escalation, and potential lateral movement within the network.
Likely Case
Unauthorized access to sensitive audit logs and Active Directory information, potentially exposing user credentials and security configurations.
If Mitigated
Limited data exposure if proper input validation and database permissions are enforced, though SQL injection attempts would still be logged.
🎯 Exploit Status
Requires authenticated access to the ADAudit Plus web interface. SQL injection vulnerabilities are typically easy to exploit with standard tools like SQLmap.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8511
Vendor Advisory: https://www.manageengine.com/products/active-directory-audit/cve-2025-36527.html
Restart Required: Yes
Instructions:
1. Download ADAudit Plus version 8511 or later from ManageEngine website. 2. Stop ADAudit Plus service. 3. Backup current installation. 4. Install the update. 5. Restart ADAudit Plus service.
🔧 Temporary Workarounds
Disable Report Export
allTemporarily disable report export functionality to prevent exploitation while planning upgrade.
Network Segmentation
allRestrict access to ADAudit Plus web interface to authorized users only using firewall rules.
🧯 If You Can't Patch
- Implement web application firewall (WAF) with SQL injection rules
- Restrict database permissions to minimum required for ADAudit Plus functionality
🔍 How to Verify
Check if Vulnerable:
Check ADAudit Plus version in web interface under Help > About or via installation directory version file.Check Version:
On Windows: Check 'C:\Program Files\ManageEngine\ADAudit Plus\conf\version.txt'. On Linux: Check '/opt/ManageEngine/ADAudit Plus/conf/version.txt'Verify Fix Applied:
Confirm version is 8511 or higher and test report export functionality with SQL injection test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by report export requests
- Suspicious characters in report export parameters
Network Indicators:
- Unusual outbound database connections from ADAudit Plus server
- SQL error messages in HTTP responses
SIEM Query:
source="ad_audit_logs" AND (event="report_export" AND (query CONTAINS "UNION" OR query CONTAINS "SELECT *" OR query CONTAINS "--"))