Cyber Resilience

CVE-2025-10020

HighRCE

Published: 21 October 2025

Published
21 October 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0286 86.6th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10020 is a high-severity Command Injection (CWE-77) vulnerability in Zohocorp Manageengine Admanager Plus. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 13.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-10020 is an authenticated command injection vulnerability (CWE-77) in the Custom Script component of Zohocorp ManageEngine ADManager Plus versions before 8024. Published on 2025-10-21, it carries a CVSS v3.1 base score of 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), reflecting high severity due to its potential for significant impact across confidentiality, integrity, and availability.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation changes scope (S:C) and enables high-impact outcomes (C:H/I:H/A:H), such as remote command execution on the affected system.

The vendor has published details in a knowledge base article at https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2025-10020.html, which security practitioners should consult for mitigation guidance, including patching to version 8024 or later.

EU & UK References

Vulnerability details

Zohocorp ManageEngine ADManager Plus version before 8024 are vulnerable to authenticated command injection vulnerability in the Custom Script component.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Authenticated command injection (CWE-77) directly enables arbitrary remote command execution (T1059) and exploitation for privilege escalation from low privileges to system-level RCE (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-41140Same product class: network monitoring / SIEM
CVE-2026-4107Same product class: network monitoring / SIEM
CVE-2026-28756Same product class: network monitoring / SIEM
CVE-2025-1723Same product class: network monitoring / SIEM
CVE-2026-27655Same product class: network monitoring / SIEM
CVE-2026-4108Same product class: network monitoring / SIEM
CVE-2026-28754Same product class: network monitoring / SIEM
CVE-2026-3880Same product class: network monitoring / SIEM
CVE-2026-3879Same product class: network monitoring / SIEM
CVE-2025-9428Same product class: network monitoring / SIEM

Affected Assets

zohocorp
manageengine admanager plus
8.0 · ≤ 8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of the command injection vulnerability in ManageEngine ADManager Plus Custom Script component to version 8024 or later.

prevent

Prevents authenticated command injection by enforcing validation of all inputs to the Custom Script component against malicious command sequences.

prevent

Limits impact of exploited command injection by restricting low-privilege users from accessing or executing high-impact Custom Script functions.

References