CVE-2025-1724

High

Published: 17 March 2025

Published

17 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0132 80.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1724 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Manageengine (inferred from references). Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Domain Accounts (T1078.002); ranked in the top 20.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Domain Accounts (T1078.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the hardcoded sensitive token vulnerability by requiring timely identification, reporting, and patching to version 6130 or later.

IA-5 Authenticator Management good match

prevent

Prohibits and manages authenticators such as hardcoded tokens to prevent their use in AD authentication, directly addressing CWE-798.

AC-2 Account Management partial match

prevent

Enforces account management practices like disabling unused AD-only accounts or restricting their privileges to mitigate takeover impacts.

MITRE ATT&CK Enterprise TechniquesAI

T1078.002 Domain Accounts Stealth

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Hardcoded token enables remote AD account takeover (T1078.002 Domain Accounts) via network-accessible on-premise analytics application (T1190 Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Zohocorp's ManageEngine Analytics Plus and Zoho Analytics on-premise versions older than 6130 are vulnerable to an AD only account takeover because of a hardcoded sensitive token.

Deeper analysisAI

Zohocorp's ManageEngine Analytics Plus and Zoho Analytics on-premise versions older than 6130 are vulnerable to CVE-2025-1724, an account takeover issue stemming from a hardcoded sensitive token, classified under CWE-798 (Use of Hard-coded Credentials). Published on 2025-03-17, this flaw carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts without affecting availability.

The vulnerability enables an attacker with network access to perform an Active Directory (AD)-only account takeover, requiring no privileges or user interaction but involving high attack complexity. Successful exploitation grants the attacker high-level access to the compromised AD account, potentially allowing unauthorized data access and modifications within the affected analytics platforms.

Official advisories from ManageEngine and Zoho detail mitigation steps, available at https://www.manageengine.com/analytics-plus/CVE-2025-1724.html and https://www.zoho.com/analytics/onpremise/CVE-2025-1724.html. Organizations should upgrade to version 6130 or later to address the hardcoded token issue.