# CVE-2025-6239

## Information disclosure vulnerability in debug-info HTML files of a File/Directory monitor

## Vulnerability Details

|  |  |
|---|---|
| Severity | **Medium** |
| CVE ID | CVE-2025-6239 |
| Affected software versions | Version 176800 and below |
| Fixed Version | Version 176701<br>Version 176900 and above |
| Fixed On | 21 July 2025 |

## Details

For customers using the File/Directory monitor with content check enabled, an Information Disclosure vulnerability may arise if a file containing sensitive information from the Applications Manager directory is configured in the monitor. In such cases, this information is exposed via Debug-Info HTML files.

## Impact

This vulnerability exposes encrypted database credentials of Applications Manager through Debug-Info HTML files. Authenticated users can access this information if such a File / Directory monitor is configured by the Administrator or Delegated Administrator.

## Fix

Applications Manager version 176900 (refer above for other fixed versions) and above fixes this issue by restricting the content check when a file from Applications Manager is configured in File / Directory monitor.

## Steps to update

Update your Applications Manager instance to the latest build using the [service pack](https://www.manageengine.com/products/applications_manager/service-packs.html).

## Source and Acknowledgements

Find out more about CVE-2025-6239 from the [CVE Directory](https://www.cve.org/CVERecord?id=CVE-2025-6239) and [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-6239).

## Reported by:

Ngockhanhc311 from FPT NightWolf

### Need Help?

For clarification or corrections please contact our [support team](https://www.manageengine.com/products/applications_manager/support.html) or email us at [appmanager-support@manageengine.com](mailto:appmanager-support@manageengine.com)