CVE-2025-27709: 
Zoho ManageEngine ADAudit Plus vulnerability analysis and mitigation

A high-severity SQL injection vulnerability (CVE-2025-27709) was discovered in Zohocorp ManageEngine ADAudit Plus versions 8510 and prior, specifically affecting the Service Account Auditing reports functionality. The vulnerability was disclosed on May 09, 2025, and has been assigned a CVSS v3.1 base score of 8.3 (High) (NVD, ManageEngine).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and affects an API involved in displaying the count of ADAudit Plus' Service Account Auditing reports. It has been assigned a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L, indicating network accessibility, low attack complexity, and requiring low privileges to exploit (NVD).

If successfully exploited, this vulnerability could allow an authenticated adversary to execute custom queries and access the database table entries using the vulnerable request. The high CVSS score reflects the potential for significant data exposure and system compromise (ManageEngine).

ManageEngine has released a fix for this vulnerability in ADAudit Plus build 8511. Users are strongly advised to update their ADAudit Plus instances to this latest build using the service pack to remediate the vulnerability (ManageEngine).