Main Vulnerability Database SB2025081960

SB2025081960 - Privilege escalation in ManageEngine AssetExplorer

Published: August 19, 2025

Security Bulletin ID SB2025081960

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Incorrect regular expression (CVE-ID: CVE-2025-8309)

CWE-ID: CWE-185 - Incorrect Regular Expression

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to take over an arbitrary account within the application.

The vulnerability exists due to overly permissive regular expression (regex) rules in URL mapping when matching servlet paths using wildcards. A remote authenticated user can take control of an arbitrary user account, including administrator accounts.

Remediation

Install update from vendor's website.

References

https://www.manageengine.com/products/service-desk/cve-2025-8309.html