CVE-2025-9226
Stored XSS in ManageEngine Subnet Details Affects Multiple Products
Publication date: 2026-01-30
Last updated on: 2026-01-30
Assigner: ManageEngine
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zohocorp | manageengine_opmanager | to 128582 (exc) |
| zohocorp | netflow_analyzer | to 128582 (exc) |
| zohocorp | oputils | to 128582 (exc) |
| zohocorp | manageengine_opmanager_enterprise_edition | to 128582 (exc) |
| zohocorp | manageengine_opmanager_plus | to 128582 (exc) |
| zohocorp | manageengine_opmanager_plus_enterprise_edition | to 128582 (exc) |
| zohocorp | manageengine_opmanager_msp | to 128582 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9226 is a stored Cross-Site Scripting (XSS) vulnerability in ManageEngine products like OpManager, NetFlow Analyzer, and OpUtils. It allows an authenticated, low-privileged user with permission to modify subnet details to inject malicious JavaScript code into the subnet details input field. This malicious code is stored and executed when other users view the affected page, potentially compromising their sessions or enabling unauthorized actions. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of other users' browsers when they view the subnet details page. This can lead to session hijacking, unauthorized actions performed on behalf of users, and potential compromise of sensitive information accessible through the application. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying if your ManageEngine products (OpManager, NetFlow Analyzer, OpUtils) are running affected versions between build numbers 128464 and 128581. Since the vulnerability involves stored XSS in the subnet details input field, detection involves checking if malicious JavaScript payloads have been injected into subnet details by authenticated users with modification permissions. There are no specific commands provided to detect the vulnerability or payloads on the network or system in the provided resources. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should upgrade your ManageEngine products to the fixed versions starting from builds 128465, 128570, or 128582 as applicable. The fix properly escapes and safely renders all user input from the subnet details field to prevent execution of injected JavaScript. Additionally, ensure that only trusted users have permission to modify subnet details. For further assistance, you can contact OpManager support at [email protected]. [1]