Security Updates - ZVE-2025-7405 | ManageEngine OpManager

XSS Vulnerability from Malicious SNMP sysName - ZVE-2025-7405

Severity: High

ZVE ID: ZVE-2025-7405

Product Name	Affected Version(s)	Fixed Version(s)	Fixed On
OpManager OpManager Enterprise Edition OpManager Plus OpManager Plus Enterprise Edition OpManager MSP	12.8.664 and below	12.8.665	10-1-2026
	12.8.632 and below	12.8.633	7-1-2026
	12.8.588 and below	12.8.589	13-1-2026

Details:

OpManager: A stored cross-site scripting (XSS) vulnerability detected in the display name of devices /interfaces has now been fixed.

Impact:

This vulnerability could allow the display name of a device or interface to be injected with malicious JavaScript code, which, when executed, could enable an attacker to access sensitive information.

Fix:

This has been addressed by sanitizing user input in the device or interface display name field to prevent script injection.

Steps to upgrade:

Kindly download the latest upgrade pack from here.
Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above step.

Source and Acknowledgements:

This vulnerability was reported by Daniel Santos.

Kindly contact our product support teams for further details, at the email address mentioned below:

OpManager : opmanager-support@manageengine.com
OpManager Plus : opmanagerplus-support@manageengine.com
OpManager MSP : msp-opmanager-support@manageengine.com