Cyber Posture

CVE-2025-9223

High

Published: 11 November 2025

Published
11 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0130 79.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Zohocorp ManageEngine Applications Manager versions 178100 and below are vulnerable to authenticated command injection vulnerability due to the improper configuration in the execute program action feature.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents command injection by validating and sanitizing user inputs to the execute program action feature.

CM-6 Configuration Settings good match
prevent

Addresses the improper configuration in the execute program action feature by enforcing secure configuration settings.

SI-2 Flaw Remediation good match
prevent

Mitigates the vulnerability through timely patching as recommended in the ManageEngine security advisory.

Security SummaryAI

CVE-2025-9223 is an authenticated command injection vulnerability (CWE-77) affecting Zoho Corp's ManageEngine Applications Manager in versions 178100 and below. The flaw stems from improper configuration in the execute program action feature, allowing malicious input to be executed as system commands. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation with low complexity and privileges.

An attacker with low-privilege authenticated access to the Applications Manager instance can exploit this vulnerability over the network without user interaction. Successful exploitation enables arbitrary command execution on the underlying server, potentially leading to full system compromise, data exfiltration, modification of critical files, or denial of service.

ManageEngine has issued a security advisory with details on mitigation and patching at https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2025-9223.html. Security practitioners should prioritize upgrading to a patched version and review access controls for the execute program action feature.

Details

CWE(s)
CWE-77

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

Authenticated command injection in ManageEngine Applications Manager, a public-facing web application, enables remote code execution via exploitation of the vulnerable execute program action feature (T1190) and arbitrary command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References