CVE-2025-9435
📋 TL;DR
A path traversal vulnerability in Zohocorp ManageEngine ADManager Plus allows attackers to access files outside the intended directory through the User Management module. This affects all versions below 7230, potentially exposing sensitive system files to authenticated users.
💻 Affected Systems
- Zohocorp ManageEngine ADManager Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could read sensitive system files, configuration files, or potentially write files to unauthorized locations, leading to system compromise or data exfiltration.
Likely Case
Authenticated users could access files they shouldn't have permission to view, potentially exposing configuration files, logs, or other sensitive data within the application's directory structure.
If Mitigated
With proper access controls and network segmentation, impact would be limited to the application's own files and directories, preventing system-wide compromise.
🎯 Exploit Status
Exploitation requires authenticated access to the ADManager Plus application. The path traversal occurs through the User Management module.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7230
Vendor Advisory: https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2025-9435.html
Restart Required: Yes
Instructions:
1. Download ADManager Plus build 7230 or later from the ManageEngine website. 2. Stop the ADManager Plus service. 3. Install the update. 4. Restart the service.
🔧 Temporary Workarounds
Restrict User Management Module Access
allLimit access to the User Management module to only necessary administrative users.
Implement Web Application Firewall Rules
allConfigure WAF rules to block path traversal patterns in requests to the User Management module.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ADManager Plus from sensitive systems
- Enable detailed logging and monitoring of file access attempts in the User Management module
🔍 How to Verify
Check if Vulnerable:
Check the ADManager Plus version in the web interface under Help > About or examine the installation directory for version files.Check Version:
On Windows: Check 'C:\Program Files\ManageEngine\ADManager Plus\conf\version.info' or web interface. On Linux: Check '/opt/ManageEngine/ADManager Plus/conf/version.info' or web interface.Verify Fix Applied:
Verify the version is 7230 or higher and test that path traversal attempts in the User Management module are properly blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in ADManager Plus logs
- Multiple failed attempts to access files with '../' sequences in User Management module
Network Indicators:
- HTTP requests containing '../' or directory traversal sequences to User Management endpoints
SIEM Query:
source="admanager_plus" AND (uri="*../*" OR uri="*..\\*" OR uri="*%2e%2e%2f*")