CVE-2025-1723: 
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation

CVE-2025-1723 affects Zohocorp ManageEngine ADSelfService Plus versions 6510 and below, discovered and disclosed in March 2025. The vulnerability is related to session mishandling that could lead to account takeover, specifically impacting valid account holders in the setup (NVD, ManageEngine Advisory).

The vulnerability stems from improper session management in ADSelfService Plus, specifically when multi-factor authentication (MFA) is not enabled for ADSelfService Plus login. The issue has been assigned a CVSS 3.1 Base Score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, and is classified under CWE-287 (Improper Authentication) (ManageEngine Advisory, NVD).

This vulnerability could lead to unauthorized access to user enrollment data and potential account takeovers. The impact is particularly significant when MFA is not enabled for ADSelfService Plus login, potentially exposing sensitive user information (Security Online).

Zoho has released version 6511 of ADSelfService Plus to address this vulnerability. The fix ensures that enrollment data is accessible only to the user whose session is currently authenticated. Organizations are strongly advised to update their ADSelfService Plus instances to build 6511 or later using the service pack. Additionally, enabling MFA is recommended as a security best practice (ManageEngine Advisory).

The vulnerability was discovered and reported by Weston through the Zoho BugBounty program, highlighting the effectiveness of bug bounty programs in identifying security issues. The security community has emphasized the importance of enabling MFA as a crucial security measure, even in the absence of this specific vulnerability (Security Online).