CVE-2025-11250

Zohocorp · ManageEngine ADSelfService Plus

ManageEngine ADSelfService Plus versions before 6519 contain an authentication bypass vulnerability stemming from improper filter configurations.

Executive summary

An authentication bypass vulnerability in Zohocorp ManageEngine ADSelfService Plus allows unauthorized actors to circumvent security controls.

Vulnerability

The vulnerability is caused by improper filter configurations that fail to correctly validate session or authentication tokens, allowing attackers to bypass authentication requirements and gain unauthorized access to the application.

Business impact

The ability to bypass authentication in a centralized identity and self-service management platform is catastrophic. With a CVSS score of 9.1, this vulnerability allows attackers to gain unauthorized administrative or user-level access, potentially leading to identity theft, unauthorized account management, and widespread privilege escalation across the network.

Remediation

Immediate Action: Upgrade Zohocorp ManageEngine ADSelfService Plus to build 6519 or the latest available version provided by the vendor.

Proactive Monitoring: Review application audit logs for unauthorized administrative sessions or access attempts originating from unexpected IP addresses.

Compensating Controls: Restrict access to the ADSelfService Plus portal to trusted network segments or VPNs only until the patch is applied.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Authentication bypass vulnerabilities in identity management software are high-priority targets. Organizations must treat this as an emergency update and verify that their instance of ADSelfService Plus is upgraded to version 6519 or later to prevent unauthorized system access.