ManageEngine Analytics Plus security updates

CVE-2025-8324: Unauthenticated SQL Injection Vulnerability in Analytics Plus on-premise

Severity: Critical

CVE ID: CVE-2025-8324

Product name	Affected Software Version(s)	Fixed Version	Fixed On
Analytics Plus on-premise	Analytics Plus on-premise builds below 6170	Build 6171	August 01, 2025

Details

An unauthenticated SQL injection vulnerability (CVE-2025-8324) has been identified in Analytics Plus on-premise. This vulnerability could allow attackers to execute arbitrary SQL queries due to insufficient input validation.

Impact

This vulnerability could lead to the unauthorized exposure of user information, potentially resulting in account takeovers.

Fix

The issue has been resolved by enforcing strict restrictions on vulnerable URLs and removing the insecure code.

Steps to upgrade

Kindly download the latest upgrade pack from the service pack page.
Follow the instructions detailed in the above service pack page to upgrade to the latest build.

Acknowledgements

This vulnerability was reported by devme4f from VNPT-VCI through our Bug Bounty portal.

For any questions or concerns, please write to us at:

EU region: analyticsplus-support@manageengine.eu
Other regions: analyticsplus-support@manageengine.com

CVE-2025-8324: Unauthenticated SQL Injection Vulnerability in Analytics Plus on-premise

Resources

Product

Support

Connect with us: