CVE-2025-7633

Q: What is the severity of CVE-2025-7633?

CVE-2025-7633 has a CVSS score of 7.3 (HIGH). This stored cross-site scripting (XSS) vulnerability in ManageEngine Exchange Reporter Plus allows attackers to inject malicious scripts into custom reports. When users view these reports, the scripts execute in their browser context, potentially stealing session cookies or performing actions as the user. Organizations using Exchange Reporter Plus versions 5723 and below are affected.

7.3 HIGH

Cross-Site Scripting

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in ManageEngine Exchange Reporter Plus allows attackers to inject malicious scripts into custom reports. When users view these reports, the scripts execute in their browser context, potentially stealing session cookies or performing actions as the user. Organizations using Exchange Reporter Plus versions 5723 and below are affected.

💻 Affected Systems

Products:

Zohocorp ManageEngine Exchange Reporter Plus

Versions: 5723 and below

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with custom report functionality are vulnerable by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack sessions, install backdoors, or pivot to other systems in the network.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions performed in the context of logged-in users.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though some risk remains.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated access to create/modify custom reports. Exploitation is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5724 or later

Vendor Advisory: https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-7633.html

Restart Required: Yes

Instructions:

1. Download the latest version from ManageEngine website. 2. Backup current installation. 3. Run the installer to upgrade. 4. Restart the Exchange Reporter Plus service.

🔧 Temporary Workarounds

Disable Custom Reports

all

Temporarily disable custom report creation/modification functionality.

Navigate to Admin > Security Settings > Disable Custom Reports

Implement WAF Rules

all

Add XSS filtering rules to web application firewall.

Add rule: block requests containing <script> tags in report parameters

🧯 If You Can't Patch

Restrict access to custom report functionality to trusted administrators only
Implement Content Security Policy headers to mitigate script execution

🔍 How to Verify

Check if Vulnerable:

Check current version in Admin > About. If version is 5723 or below, system is vulnerable.

Check Version:

Check version in web interface or installation directory

Verify Fix Applied:

Verify version is 5724 or later and test custom report functionality with XSS payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual custom report creation/modification
Requests containing script tags in report parameters

Network Indicators:

HTTP requests with JavaScript payloads in report fields

SIEM Query:

source="exchange_reporter" AND (message="*<script>*" OR message="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-7633

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (11.9th percentile)

Published: November 11, 2025

Last Updated: November 24, 2025

🔗 References

https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-7633.html Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

Manageengine Exchange Reporter Plus by Zohocorp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Custom Reports

Implement WAF Rules

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities