CVE-2025-3833: 
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation

CVE-2025-3833 is a SQL injection vulnerability affecting ManageEngine ADSelfService Plus versions 6513 and earlier, discovered internally through the Zoho BugBounty program and fixed on April 22, 2025. The vulnerability exists in the MFA reports functionality where custom input used to search MFA reports could be exploited (ManageEngine Advisory, NVD).

The vulnerability occurs when custom input is incorporated into SQL queries from the Reports module to the ADSelfService Plus database without adequate validation or sanitization. It has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (Wiz).

The vulnerability could allow authenticated ADSelfService Plus technicians to execute arbitrary SQL commands through the Reports module, potentially leading to unauthorized modifications to the ADSelfService Plus database. It's important to note that this vulnerability could only be exploited by authenticated technicians and not by end users (ManageEngine Advisory).

The vulnerability has been patched in ADSelfService Plus build 6514, released on April 22, 2025. The fix ensures that all queries to the database are properly sanitized. Organizations using affected versions should update their ADSelfService Plus instance to build 6514 or later using the service pack (ManageEngine Advisory).