Main Vulnerability Database Vulnerabilities #VU114229

#VU114229 Incorrect regular expression in Zoho ManageEngine ServiceDesk Plus and Zoho ManageEngine ServiceDesk Plus MSP - CVE-2025-8309

Published: August 19, 2025

Vulnerability identifier: #VU114229

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-8309

CWE-ID: CWE-185

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Zoho ManageEngine ServiceDesk Plus
Zoho ManageEngine ServiceDesk Plus MSP

Software vendor:
Zoho Corporation

Description

The vulnerability allows a remote user to take over an arbitrary account within the application.

The vulnerability exists due to overly permissive regular expression (regex) rules in URL mapping when matching servlet paths using wildcards. A remote authenticated user can take control of an arbitrary user account, including administrator accounts.

Remediation

Install updates from vendor's website.

External links

https://www.manageengine.com/products/service-desk/cve-2025-8309.html

#VU114229 Incorrect regular expression in Zoho ManageEngine ServiceDesk Plus and Zoho ManageEngine ServiceDesk Plus MSP - CVE-2025-8309

Description

Remediation

External links

Please verify you're human