CVE-2025-9787
📋 TL;DR
ManageEngine Applications Manager versions 177400 and below contain a stored cross-site scripting vulnerability in the NOC view. This allows attackers to inject malicious scripts that execute when users view the affected interface, potentially compromising user sessions or performing unauthorized actions. Organizations using vulnerable versions are affected.
💻 Affected Systems
- Zohocorp ManageEngine Applications Manager
📦 What is this software?
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, deface the NOC interface, or perform unauthorized administrative actions through injected scripts.
Likely Case
Attackers with access to the NOC view could inject scripts that steal session cookies or redirect users to malicious sites when legitimate users view the compromised interface.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before execution, preventing exploitation.
🎯 Exploit Status
Exploitation requires access to the NOC view interface, which typically requires authentication. The vulnerability is in stored XSS, meaning injected scripts persist and affect multiple users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 177401 or later
Vendor Advisory: https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2025-9787.html
Restart Required: Yes
Instructions:
1. Download the latest version from ManageEngine's official website. 2. Backup your current installation. 3. Stop the Applications Manager service. 4. Install the update. 5. Restart the service.
🔧 Temporary Workarounds
Disable NOC View Access
allTemporarily restrict or disable access to the NOC view interface until patching is complete.
Implement WAF Rules
allConfigure web application firewall rules to block XSS payloads targeting the NOC view endpoints.
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user inputs in the NOC view interface
- Restrict access to the NOC view to only trusted administrators using network segmentation and strong authentication
🔍 How to Verify
Check if Vulnerable:
Check the Applications Manager version in the web interface under Help > About. If version is 177400 or lower, the system is vulnerable.Check Version:
Check via web interface: Help > About, or check the build number in installation directory properties.Verify Fix Applied:
After updating, verify the version shows 177401 or higher in Help > About. Test the NOC view interface with safe XSS test payloads to confirm proper sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual script tags or JavaScript in NOC view logs
- Multiple failed XSS attempts in web server logs
- Unexpected modifications to NOC view content
Network Indicators:
- HTTP requests containing script tags or JavaScript to NOC view endpoints
- Unusual outbound connections from Applications Manager server after NOC view access
SIEM Query:
source="applications_manager" AND (uri="*/noc/*" OR uri="*/NOC/*") AND (content="<script>" OR content="javascript:" OR content="onerror=" OR content="onload=")