CVE-2025-8324
Published: 11 November 2025
Description
Zohocorp ManageEngine Analytics Plus versions 6170 and below are vulnerable to Unauthenticated SQL Injection due to the improper filter configuration.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates unauthenticated SQL injection by requiring validation of all information inputs to block malicious SQL code execution.
Requires timely identification, reporting, and correction of flaws like this specific SQL injection vulnerability through patching.
Ensures establishment and enforcement of secure configuration settings, including proper filter configurations to address the improper filter causing the SQL injection.
Security SummaryAI
Zohocorp ManageEngine Analytics Plus versions 6170 and below are vulnerable to CVE-2025-8324, an unauthenticated SQL injection flaw (CWE-89) caused by improper filter configuration. Published on 2025-11-11, this issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
Remote attackers need no privileges or user interaction to exploit the vulnerability over the network with low attack complexity. Successful exploitation enables arbitrary SQL injection, resulting in high confidentiality, integrity, and availability impacts, such as data exfiltration, database manipulation, or service disruption.
Mitigation guidance is available in the vendor advisory at https://www.manageengine.com/analytics-plus/CVE-2025-8324.html.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SQL injection in a public-facing web application directly enables T1190 (Exploit Public-Facing Application). Exploitation facilitates arbitrary SQL queries for data exfiltration from databases (T1213.006).