# ManageEngine Analytics Plus security updates

## CVE-2025-9428: SQL Injection Vulnerability in Analytics Plus on-premise

**Severity:** High  
**CVE ID:** CVE-2025-9428

| Product name | Affected Software Version(s) | Fixed Version | Fixed On |
|---|---|---|---|
| Analytics Plus on-premise | Analytics Plus on-premise builds below 6171 | Build 6200 | September 02, 2025 |

**Details**

A SQL injection vulnerability (CVE-2025-9428) has been identified in Analytics Plus. This vulnerability could allow an authenticated user to execute arbitrary SQL queries due to insufficient input validation.

**Impact**

This vulnerability allows authenticated users to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or database disruption.

**Fix**

The issue has been resolved by implementing restrictions on the usage of specific keywords in SQL queries.

**Steps to upgrade**

1. Kindly download the latest upgrade pack from [the service pack page.](https://www.manageengine.com/analytics-plus/service-packs.html)
2. Follow the instructions detailed in the above service pack page to upgrade to the latest build.

For any questions or concerns, please write to us at:

- EU region: [analyticsplus-support@manageengine.eu](mailto:analyticsplus-support@manageengine.eu)
- Other regions: [analyticsplus-support@manageengine.com](mailto:analyticsplus-support@manageengine.com)