Main Vulnerability Database Vulnerabilities #VU114229

Incorrect regular expression in Zoho ManageEngine ServiceDesk Plus and Zoho ManageEngine ServiceDesk Plus MSP - CVE-2025-8309

Published: August 19, 2025

Vulnerability identifier: #VU114229

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-8309

CWE-ID: CWE-185

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Zoho Corporation

Affected software:
Zoho ManageEngine ServiceDesk Plus
Zoho ManageEngine ServiceDesk Plus MSP

Detailed vulnerability description

The vulnerability allows a remote user to take over an arbitrary account within the application.

The vulnerability exists due to overly permissive regular expression (regex) rules in URL mapping when matching servlet paths using wildcards. A remote authenticated user can take control of an arbitrary user account, including administrator accounts.

How to mitigate CVE-2025-8309

Install updates from vendor's website.

Sources

https://www.manageengine.com/products/service-desk/cve-2025-8309.html

Incorrect regular expression in Zoho ManageEngine ServiceDesk Plus and Zoho ManageEngine ServiceDesk Plus MSP - CVE-2025-8309

Detailed vulnerability description

How to mitigate CVE-2025-8309

Sources

Please verify you're human