CVE-2025-3444

MEDIUM

Zohocorp Manageengine Servicedesk Plus Msp - Unrestricted File Upload

Title source: rule

Description

Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is loaded.

References (1)

Core 1

Core References

Vendor Advisory

https://www.manageengine.com/products/service-desk-msp/cve-2025-3444.html

Scores

CVSS v3 6.5

EPSS 0.0201

EPSS Percentile 83.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-434

Status published

Products (4)

zohocorp/manageengine_servicedesk_plus_msp 14.9 14900 (2 CPE variants)

zohocorp/manageengine_servicedesk_plus_msp < 14.8

zohocorp/manageengine_supportcenter_plus 14.9 14900 (2 CPE variants)

zohocorp/manageengine_supportcenter_plus < 14.8

Published May 22, 2025

Tracked Since Feb 18, 2026