ZohoCorp ManageEngine ADAudit Plus, SQL Injection, CVE-2025-36527 (Critical)

Listen to this Post

🐢▶️ Listen🚀

How the CVE Works:

CVE-2025-36527 exploits improper input sanitization in the report export feature of ManageEngine ADAudit Plus (versions < 8511). Attackers inject malicious SQL queries via crafted export requests, allowing unauthorized database access. The vulnerability stems from unsanitized user-supplied input concatenated into SQL statements, leading to arbitrary query execution under the application’s database privileges.

DailyCVE Form:

Platform: ManageEngine ADAudit Plus
Version: < 8511
Vulnerability: SQL Injection
Severity: Critical
Date: 06/16/2025

Prediction: Patch expected by 07/15/2025

What Undercode Say:

Analytics:

SELECT FROM reports WHERE export_id = '[bash]';

curl -X POST -d "report_id=1; DROP TABLE users--" http://target/export

How Exploit:

• Crafted HTTP POST request with SQL payload.
• Exploits unsanitized `export_id` parameter.

Protection from this CVE:

• Upgrade to v8511+.
• Input validation/WAF rules.

Impact:

• Database compromise.
• Data exfiltration.

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram