CVE-2025-1723

High

Published: 03 March 2025

Published

03 March 2025

Modified

30 September 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0029 52.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid account holders in the setup only have the potential to exploit this bug.

Security Summary

CVE-2025-1723 is a vulnerability in Zohocorp ManageEngine ADSelfService Plus versions 6510 and below that enables account takeover due to improper session mishandling. Assigned CWE-287 (Improper Authentication), it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity with network accessibility, low attack complexity, and requirements for low privileges but no user interaction.

The vulnerability can only be exploited by valid account holders already present in the setup, who require low-level privileges (PR:L). Attackers with such access can leverage session mishandling over the network to achieve account takeover, resulting in high impacts to confidentiality and integrity, such as unauthorized access to other accounts, data exfiltration, or privilege escalation within the affected instance.

The vendor has issued an advisory with mitigation guidance at https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-1723.html, which security practitioners should consult for patch availability and recommended remediation steps.

Details

CWE(s): CWE-287

Affected Products

zohocorp

manageengine adselfservice plus

6.5 · ≤ 6.5

References

https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-1723.html
Vendor Advisory · 0fc0942c-577d-436f-ae8e-945763c79b02