CVE-2025-3444

MEDIUM

ManageEngine ServiceDesk Plus MSP and SupportCenter Plus < 14920 - Authenticated Local File Inclusion in Admin Help Card

Title source: llm

Description

Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is loaded.

References (1)

Core 1

Core References

Vendor Advisory

https://www.manageengine.com/products/service-desk-msp/cve-2025-3444.html

Scores

CVSS v3 6.5

EPSS 0.0123

EPSS Percentile 64.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-434

Status published

Products (4)

zohocorp/manageengine_servicedesk_plus_msp 14.9 14900 (2 CPE variants)

zohocorp/manageengine_servicedesk_plus_msp < 14.8

zohocorp/manageengine_supportcenter_plus 14.9 14900 (2 CPE variants)

zohocorp/manageengine_supportcenter_plus < 14.8

Published May 22, 2025

Tracked Since Feb 18, 2026