Session Mishandling Vulnerability in ManageEngine ADSelfService Plus by Zohocorp

CVE-2025-1723

What is CVE-2025-1723?

CVE-2025-1723 is a vulnerability found in ManageEngine ADSelfService Plus, a self-service password reset and single sign-on solution designed to enhance user productivity while ensuring account security. The vulnerability arises from session mishandling, which can allow valid users of the application to exploit the flaw and potentially take over accounts. This could lead to unauthorized access to sensitive information and disruption of services, negatively impacting organizational security and user trust.

Technical Details

The vulnerability affects specific versions of ManageEngine ADSelfService Plus, specifically version 6510 and prior releases. The session mishandling issue means that once a user is authenticated, their session may not be appropriately handled, allowing an attacker with valid account credentials to exploit the situation. The technical nuances involve how session tokens are managed and validated during user interactions, which can potentially allow for unauthorized account access.

Potential impact of CVE-2025-1723

1. Account Takeover: The primary risk is that valid account holders can exploit the session mishandling, allowing them to gain unauthorized control over other users' accounts. This can lead to data manipulation and unauthorized actions performed in the context of the compromised accounts.

2. Data Breach Risk: Exploiting this vulnerability can expose sensitive personal and organizational data, risking compliance with data protection regulations and damaging the organization’s reputation.

3. Service Disruption: With the potential for account takeovers, attackers could disrupt services by altering user permissions or locking users out of their accounts, leading to operational inefficiencies and decreased productivity within the organization.

References