CVE-2025-1723

HIGH

ManageEngine ADSelfService Plus <= 6510 - Authenticated Account Takeover via Session Mishandling

Title source: llm

Description

Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid account holders in the setup only have the potential to exploit this bug.

References (1)

Core 1

Core References

Vendor Advisory

https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-1723.html

Scores

CVSS v3 8.1

EPSS 0.0029

EPSS Percentile 52.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-287

Status published

Products (2)

zohocorp/manageengine_adselfservice_plus 6.5 6500 (11 CPE variants)

zohocorp/manageengine_adselfservice_plus < 6.5

Published Mar 03, 2025

Tracked Since Feb 18, 2026