fkie_nvd - fkie_cve-2025-9428

fkie_cve-2025-9428

Vulnerability from fkie_nvd

Published

2025-10-21 12:15

Modified

2025-10-23 14:00

Severity ?

8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Zohocorp ManageEngine Analytics Plus versions 6171 and prior are vulnerable to authenticated SQL Injection via the key update api.

References

	URL	Tags
	0fc0942c-577d-436f-ae8e-945763c79b02	https://www.manageengine.com/analytics-plus/CVE-2025-9428.html	Vendor Advisory

Impacted products

Vendor	Product	Version
zohocorp	manageengine_analytics_plus	*
zohocorp	manageengine_analytics_plus	6.1
zohocorp	manageengine_analytics_plus	6.1
zohocorp	manageengine_analytics_plus	6.1
zohocorp	manageengine_analytics_plus	6.1
zohocorp	manageengine_analytics_plus	6.1
zohocorp	manageengine_analytics_plus	6.1
zohocorp	manageengine_analytics_plus	6.1
zohocorp	manageengine_analytics_plus	6.1
zohocorp	manageengine_analytics_plus	6.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:zohocorp:manageengine_analytics_plus:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FCB8F6B2-6E06-4BE7-9AC9-A8D26F25C67B",
              "versionEndExcluding": "6.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zohocorp:manageengine_analytics_plus:6.1:6100:*:*:*:*:*:*",
              "matchCriteriaId": "A27EFFEA-DB7E-4E3E-905B-5D1BAAE3A03E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zohocorp:manageengine_analytics_plus:6.1:6110:*:*:*:*:*:*",
              "matchCriteriaId": "7AAAFC61-BDEB-4688-804E-C8165E693BA6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zohocorp:manageengine_analytics_plus:6.1:6120:*:*:*:*:*:*",
              "matchCriteriaId": "13DAD61B-82F4-42B5-A2E8-81EB62346EB1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zohocorp:manageengine_analytics_plus:6.1:6130:*:*:*:*:*:*",
              "matchCriteriaId": "0E074C04-4BC6-431B-99F0-ECB9E83532A7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zohocorp:manageengine_analytics_plus:6.1:6140:*:*:*:*:*:*",
              "matchCriteriaId": "1384D5F4-D3F0-48B4-AA2A-0B7E93A46C72",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zohocorp:manageengine_analytics_plus:6.1:6150:*:*:*:*:*:*",
              "matchCriteriaId": "3F1E5920-9108-40A8-8FE0-727BA82C092F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zohocorp:manageengine_analytics_plus:6.1:6160:*:*:*:*:*:*",
              "matchCriteriaId": "F237D724-FF1D-4D03-9968-6F64B45F421F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zohocorp:manageengine_analytics_plus:6.1:6170:*:*:*:*:*:*",
              "matchCriteriaId": "ECDAD23D-D2E8-4A10-BDA6-7088314849AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zohocorp:manageengine_analytics_plus:6.1:6171:*:*:*:*:*:*",
              "matchCriteriaId": "4166ED3E-040B-4867-BD53-515638BFFF21",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Zohocorp ManageEngine Analytics Plus versions\u00a06171 and prior are vulnerable to authenticated SQL Injection via the key update api."
    }
  ],
  "id": "CVE-2025-9428",
  "lastModified": "2025-10-23T14:00:21.830",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.5,
        "source": "0fc0942c-577d-436f-ae8e-945763c79b02",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-10-21T12:15:35.673",
  "references": [
    {
      "source": "0fc0942c-577d-436f-ae8e-945763c79b02",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.manageengine.com/analytics-plus/CVE-2025-9428.html"
    }
  ],
  "sourceIdentifier": "0fc0942c-577d-436f-ae8e-945763c79b02",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "0fc0942c-577d-436f-ae8e-945763c79b02",
      "type": "Secondary"
    }
  ]
}

CVE-2025-9428 (GCVE-0-2025-9428)

Vulnerability from cvelistv5

Published

2025-10-21 11:43

Modified

2025-10-22 03:55

Severity ?

8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Summary

Zohocorp ManageEngine Analytics Plus versions 6171 and prior are vulnerable to authenticated SQL Injection via the key update api.

References

URL

Tags

https://www.manageengine.com/analytics-plus/CVE-2025-9428.html