CVE-2025-11250

Critical

Published: 13 January 2026

Published

13 January 2026

Modified

29 January 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0012 29.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of the authentication bypass flaw in ManageEngine ADSelfService Plus, directly enabling patching to version 6519 or later.

AC-3 Access Enforcement good match

prevent

Mandates enforcement of approved authorizations for logical access, directly countering the improper filter configurations that allow authentication bypass.

CM-6 Configuration Settings partial match

prevent

Ensures configuration settings for filters and access mechanisms are properly established and enforced to mitigate misconfigurations leading to auth bypass.

Security SummaryAI

Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to an authentication bypass flaw, tracked as CVE-2025-11250 and published on 2026-01-13. The issue stems from improper filter configurations, mapped to CWE-290, and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows bypassing authentication mechanisms, potentially granting unauthorized access to sensitive data and enabling integrity violations without affecting availability.

The vendor's advisory at https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-11250.html provides details on mitigation, including upgrading to version 6519 or later. Security practitioners should review the advisory for full patch instructions and workarounds.

Details

CWE(s): CWE-290

Affected Products

zohocorp

manageengine adselfservice plus

6.5 · ≤ 6.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an authentication bypass in a public-facing web application (ManageEngine ADSelfService Plus), directly enabling exploitation of public-facing applications for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-11250.html
Vendor Advisory, Patch · 0fc0942c-577d-436f-ae8e-945763c79b02