# Security Advisory ## June 22, 2026 A remote code execution vulnerability in the Reports module (Query Report) has been fixed in AssetExplorer version 7860. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/cve-2026-12507.html) to learn more and upgrade to the latest service pack. ## August 06, 2025 A privilege escalation vulnerability caused by insecure regex in URL paths has been fixed in AssetExplorer version 7710. For more details and steps to upgrade to the latest version, please refer to the associated [security advisory](https://www.manageengine.com/products/service-desk/cve-2025-8309.html). ## April 25, 2023 A XXE vulnerability in the Reports integration has been fixed in AssetExplorer version 6989. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/CVE-2023-29443.html) to learn more and to upgrade to the latest version. ## March 06, 2023 A privilege escalation vulnerability in query reports has been fixed in AssetExplorer 6988. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/CVE-2023-26600.html) to learn more and to upgrade to the latest version. A Denial of Service vulnerability is fixed in AssetExplorer version 6988. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/CVE-2023-26601.html) to learn more and to upgrade to the latest version. ## February 14, 2023 A stored XSS vulnerability in the asset details page has been fixed in AssetExplorer version 6987. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/CVE-2023-23078.html) to learn more and to upgrade to the latest version. ## November 19, 2022 An XXE vulnerability when integrating with Analytics Plus has been fixed in AssetExporer version 6981. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/CVE-2022-40771.html) to learn more and to upgrade to the latest version. A privilege escalation vulnerability in query reports has been fixed in AssetExporer version 6981. Please refer to this [security advisory](https://www.manageengine.com/products/service-desk/CVE-2022-40772.html) to learn more and to upgrade to the latest version. ## July 7, 2022 An authenticated local file disclosure vulnerability that allows users to download local files has been fixed in AssetExplorer version 6977. Please refer to this [security advisory](https://www.manageengine.com/products/asset-explorer/local-file-disclosure-advisory.html) to learn more and upgrade to the latest version. ## March 22, 2022 [CVE-2022-25245] A vulnerability that allowed non-login users to extract vendor currency details has been fixed in version 6971. Please visit this [link](https://www.manageengine.com/products/asset-explorer/cve-2022-25245.html) for more information. ## December 04, 2021 This security advisory addresses two authentication bypass vulnerabilities that affect AssetExplorer versions up to 6952 **(CVE-2021-44526)** and AssetExplorer customers who use the Endpoint Central agent for asset discovery **(CVE-2021-44515)**. **Important note**: If you are a customer of AssetExplorer who uses the Endpoint Central agent for asset discovery, follow the steps outlined in the advisories for both **CVE-2021-44526** and **CVE-2021-44515**. If you are a customer of AssetExplorer who does not use the Endpoint Central agent, please only follow the steps outlined in the advisory for **CVE-2021-44526**, explained in this email. **CVE-2021-44515** affects customers of AssetExplorer who use the Endpoint Central agent for asset discovery, and can lead to a remote code execution attack. We strongly urge customers who use the Endpoint Central agent to refer to this [security advisory](https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html) for more information and the steps to upgrade Endpoint Central to the latest version. **CVE-2021-44526** affects customers using all editions of AssetExplorer versions **6952 and below**, irrespective of whether they use the Endpoint Central agent, and we strongly urge all customers to upgrade to the latest version of AssetExplorer immediately. The rest of the advisory will be focused on **CVE-2021-44526**, an authentication bypass vulnerability in AssetExplorer versions up to 6952. ### Severity : High ### Impact: This vulnerability can allow an adversary to bypass authentication and access the Asset Name and the Asset Field's Allowed Values configurations. ### What led to the vulnerability? One of the application filters used for handling state in the list view was not configured properly, and a crafted URL using this filter would enable an authenticated servlet to be accessed without proper authentication. APIs and other URL calls are not affected. ### Who is affected? This vulnerability affects AssetExplorer customers of all editions using versions 6952 and below. ### How have we fixed it? We have added additional checks to ensure the filters are properly configured to avoid the authentication bypass vulnerability. ### How to find out if you are affected Click the **Help** link in the top-right corner of the AssetExplorer web client, and select **About** from the drop-down to see your current version. If your current version is 6952 and below, you might be affected. Please follow [this forum post](https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44526-and-cve-2021-44515-authentication-bypass-vulnerabilities-in-assetexplorer-and-desktop-central) any further updates regarding this vulnerability. ### What customers should do Download the upgrade pack from [https://www.manageengine.com/products/asset-explorer/service-packs.html](https://www.manageengine.com/products/asset-explorer/service-packs.html) and immediately upgrade to the latest version (6953). Please read the upgrade [instructions](https://www.manageengine.com/products/asset-explorer/service-packs.html#sp) carefully before beginning the upgrade. For assistance, write to [assetexplorer-support@manageengine.com](mailto:assetexplorer-support@manageengine.com) or call us toll-free at +1.888.720.9500. Alternatively, customers can also upgrade to the appropriate versions based on their current version; details are listed [here](https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44526-and-cve-2021-44515-authentication-bypass-vulnerabilities-in-assetexplorer-and-desktop-central) Customers of AssetExplorer who are using the Endpoint Central agent for asset discovery can refer to this [security advisory](https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html) for information on upgrading Endpoint Central. **Important note**: As always, make a copy of the entire AssetExplorer installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the AssetExplorer database before upgrading. Once the upgrade is successfully completed, remember to delete the backup. We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at [assetexplorer-support@manageengine.com](mailto:assetexplorer-support@manageengine.com). Best regards, Umashankar ManageEngine AssetExplorer ## October 07, 2021 This is a security advisory regarding an [insufficient authentication and authorization handling vulnerability (CVE-2021-37414)](https://www.manageengine.com/products/desktop-central/improper-access-control.html) in ManageEngine Endpoint Central, reported by an external security researcher via our [bug bounty program](https://bugbounty.zohocorp.com/bb/info?department=manageengine#home). ### Who is affected?: This vulnerability affects customers of ServiceDesk Plus MSP (Professional and Enterprise editions) who have installed Endpoint Central to leverage the unified agent for asset inventory. **Affected build numbers of Endpoint Central:** Endpoint Central installations with the following build numbers are affected: - 10.1.2121.03 - 10.1.2121.02 - 10.1.2121.04 - 10.1.2127.01 **Severity**: High **What was the problem?** An endpoint was found with insufficient access control in the Endpoint Central server, which when exploited could lead to an unauthorized user gaining access to the Endpoint Central instance. **How have we fixed the vulnerability?** The vulnerability has been identified and fixed in the latest build of Endpoint Central. To apply the fix, follow the steps below: - Log in to your Endpoint Central console and click your current build number in the top-right corner. - Find the latest build applicable to you. Download the PPM and update Endpoint Central. **Note**: This vulnerability is not applicable to the cloud editions of Endpoint Central, Patch Manager Plus, and Remote Access Plus. For further details, please contact support at [support@servicedeskplusmsp.com](mailto:support@servicedeskplusmsp.com). **Important note**: As always, make a copy of the entire Endpoint Central installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the Endpoint Central database before upgrading. Once the upgrade is successfully completed, remember to delete the backup. We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at [assetexplorer-support@manageengine.com](mailto:assetexplorer-support@manageengine.com). Best regards, Umashankar ManageEngine AssetExplorer