CVE-2025-3835
BaseFortify
Publication date: 2025-06-09
Last updated on: 2025-09-29
Assigner: ManageEngine
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zohocorp | manageengine_exchange_reporter_plus | to 5.7 (exc) |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
| zohocorp | manageengine_exchange_reporter_plus | 5.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-3835 is a critical Remote Code Execution (RCE) vulnerability in the Content Search module of Zoho ManageEngine Exchange Reporter Plus versions up to build 5721. It allows attackers, under rare scenarios, to execute arbitrary commands on the target servers, potentially compromising system integrity. This vulnerability was fixed in build 5722. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary commands remotely on your Exchange Reporter Plus server, which can lead to full system compromise, loss of data integrity, and potentially unauthorized access to sensitive information or disruption of services. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should immediately update Exchange Reporter Plus to build 5722 or later by downloading and applying the latest service pack following the official instructions. For assistance, you can contact product support at [email protected]. [1]