Direct Inward Dialing: +1 408 916 9393
| Vulnerability details | |
| Severity | High |
| CVE ID | CVE-2025-10020 |
| Affected software versions | 8023 and older |
| Fixed version | Build 8024 |
| Fixed on | September 19, 2025 |
The CVE-2025-10020 refers to an authenticated command injection vulnerability in the Custom Script component of ADManager Plus, where improper handling could allow attackers to execute arbitrary commands, leading to remote code execution (RCE). This issue has been fixed in build 8024, and the release notes can be found here.
This vulnerability could allow an authenticated adversary to gain unauthorized access to sensitive data from the server and execute system commands to compromise the instance.
Update your ADManager Plus instance to its latest build by installing the service pack.
This vulnerability was reported by bitxer via Zoho's Bug Bounty program.
Select a language to translate the contents of this web page:
Fill this form, and we'll contact you rightaway.
Our technical support team will get in touch with you at the earliest."
