CVE-2025-8309: 
Zoho ManageEngine ServiceDesk Plus vulnerability analysis and mitigation

A privilege escalation vulnerability (CVE-2025-8309) was identified in ManageEngine's suite of products including Asset Explorer, ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus. The vulnerability was discovered and reported by @devme4f from VNPT-VCI through ManageEngine's bug bounty program, with disclosure on August 20, 2025. The affected versions include Asset Explorer versions before 7710, ServiceDesk Plus versions before 15110, ServiceDesk Plus MSP versions before 14940, and SupportCenter Plus versions before 14940 (ManageEngine Advisory).

The vulnerability stems from improper privilege management due to overly permissive regular expression (regex) rules in URL mapping that could be exploited to incorrectly match servlet paths using wildcards. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating network accessibility, low attack complexity, and requiring low privileges with no user interaction (NVD).

The vulnerability allows an authenticated, low-privileged user to take control of any account, including administrator accounts, potentially leading to data exposure and unauthorized actions. However, the vulnerability is not applicable if local authentication is disabled, and high-privileged user accounts associated with an email ID cannot be compromised through this method (ManageEngine Advisory).

ManageEngine has addressed the vulnerability by implementing stricter URL path validation to prevent unauthorized access and removing unused API servlet classes along with their URL mappings. Fixed versions were released on August 5, 2025 (Asset Explorer 7710 and ServiceDesk Plus 15110) and August 12, 2025 (ServiceDesk Plus MSP 14940 and SupportCenter Plus 14940). Users are advised to upgrade to the latest service packs available through the official ManageEngine website (ManageEngine Advisory).