CVE-2025-5366: 
Zoho ManageEngine Exchange Reporter Plus vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was identified in Zohocorp ManageEngine Exchange Reporter Plus, affecting version 5722 and below. The vulnerability (CVE-2025-5366) was discovered in the Folder-wise Read Mails with Subject report feature. The issue was identified by Ngockhanhc311 from FPT NightWolf and was fixed in build 5723, released on June 23, 2025 (ManageEngine Advisory).

The vulnerability is classified as a Stored XSS issue (CWE-79: Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 Base Score of 8.1 (HIGH). The attack vector is characterized as Network-based (AV:N) with Low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R). The scope is unchanged (S:U) with High confidentiality and integrity impact (C:H, I:H) and No availability impact (A:N) (NVD).

The vulnerability could allow attackers to create a privileged account and gain access to the application, potentially compromising the security of the Exchange Reporter Plus installation (ManageEngine Advisory).

Users are strongly advised to update Exchange Reporter Plus to build 5723 or later immediately. The update can be applied by downloading the latest service pack from the ManageEngine website and following the provided installation instructions. For assistance with the update process, users can contact product support at support@exchangereporterplus.com (ManageEngine Advisory).