Cyber Resilience

CVE-2025-11250

Critical

Published: 13 January 2026

Published
13 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0142 69.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-11250 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Zohocorp Manageengine Adselfservice Plus. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to an authentication bypass flaw, tracked as CVE-2025-11250 and published on 2026-01-13. The issue stems from improper filter configurations, mapped to CWE-290, and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows bypassing authentication mechanisms, potentially granting unauthorized access to sensitive data and enabling integrity violations without affecting availability.

The vendor's advisory at https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-11250.html provides details on mitigation, including upgrading to version 6519 or later. Security practitioners should review the advisory for full patch instructions and workarounds.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in a public-facing web application (ManageEngine ADSelfService Plus), directly enabling exploitation of public-facing applications for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1723Same product: Zohocorp Manageengine Adselfservice Plus
CVE-2025-9428Same product class: network monitoring / SIEM
CVE-2026-3879Same product class: network monitoring / SIEM
CVE-2026-27655Same product class: network monitoring / SIEM
CVE-2026-3880Same product class: network monitoring / SIEM
CVE-2026-28703Same product class: network monitoring / SIEM
CVE-2026-4107Same product class: network monitoring / SIEM
CVE-2026-28754Same product class: network monitoring / SIEM
CVE-2026-4108Same product class: network monitoring / SIEM
CVE-2024-41140Same product class: network monitoring / SIEM

Affected Assets

zohocorp
manageengine adselfservice plus
6.5 · ≤ 6.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification, reporting, and correction of the authentication bypass flaw in ManageEngine ADSelfService Plus, directly enabling patching to version 6519 or later.

prevent

Mandates enforcement of approved authorizations for logical access, directly countering the improper filter configurations that allow authentication bypass.

prevent

Ensures configuration settings for filters and access mechanisms are properly established and enforced to mitigate misconfigurations leading to auth bypass.

References