Executive Summary

CVE-2025-9223 is a high-severity authenticated command injection vulnerability in ManageEngine Applications Manager versions 178100 and below. It occurs due to a command blacklist bypass in the 'Execute Program' action feature, where attackers can specify absolute paths for blacklisted commands to circumvent security controls. This allows authenticated users to execute sensitive blacklisted commands with administrative privileges on the server. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an authenticated user to execute sensitive blacklisted commands with administrative privileges on the Applications Manager server. This poses a significant risk to system security and integrity, potentially leading to unauthorized control, data compromise, or disruption of services. [1]

Useful 0 Not Useful 0

Detection Guidance

Detection involves verifying if your ManageEngine Applications Manager version is 178100 or below and checking for unauthorized or suspicious 'Execute Program' actions that may use absolute paths to bypass command blacklists. Since the vulnerability requires authenticated access, review the configuration of 'Execute Program' actions for any unapproved commands or actions created/updated without super admin approval. Specific detection commands are not provided in the resources. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediately update your ManageEngine Applications Manager to version 178200 or above, as this version includes fixes that require super admin approval for creating or updating 'Execute Program' actions and disables new actions until approved. If updating immediately is not possible, ensure that only super admins can create or update execute program actions and review existing actions for unauthorized commands. Applying the latest service pack is also recommended to mitigate the vulnerability. [1]

Useful 0 Not Useful 0