# ManageEngine Analytics Plus security updates

## CVE-2025-8324: Unauthenticated SQL Injection Vulnerability in Analytics Plus on-premise

**Severity:** Critical

**CVE ID:** CVE-2025-8324

| Product name | Affected Software Version(s) | Fixed Version | Fixed On |
|---|---|---|---|
| Analytics Plus on-premise | Analytics Plus on-premise builds below 6170 | Build 6171 | August 01, 2025 |

**Details**

An unauthenticated SQL injection vulnerability (CVE-2025-8324) has been identified in Analytics Plus on-premise. This vulnerability could allow attackers to execute arbitrary SQL queries due to insufficient input validation.

**Impact**

This vulnerability could lead to the unauthorized exposure of user information, potentially resulting in account takeovers.

**Fix**

The issue has been resolved by enforcing strict restrictions on vulnerable URLs and removing the insecure code.

**Steps to upgrade**

1. Kindly download the latest upgrade pack from [the service pack page.](https://www.manageengine.com/analytics-plus/service-packs.html)
2. Follow the instructions detailed in the above service pack page to upgrade to the latest build.

**Acknowledgements**

This vulnerability was reported by **devme4f from VNPT-VCI** through our Bug Bounty portal.

For any questions or concerns, please write to us at:

- EU region: [analyticsplus-support@manageengine.eu](mailto:analyticsplus-support@manageengine.eu)
- Other regions: [analyticsplus-support@manageengine.com](mailto:analyticsplus-support@manageengine.com)