Cyber Resilience

CVE-2025-1724

High

Published: 17 March 2025

Published
17 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0132 80.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1724 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Manageengine (inferred from references). Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Domain Accounts (T1078.002); ranked in the top 19.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

Zohocorp ManageEngine Analytics Plus and Zoho Analytics on-premise versions prior to 6130 contain a hardcoded sensitive token that enables an Active Directory-only account takeover. The flaw is tracked as CVE-2025-1724 and carries a CVSS 3.1 score of 7.4, reflecting network attack vectors, high attack complexity, and no required privileges or user interaction. It is classified under CWE-798 for use of hard-coded credentials.

An unauthenticated remote attacker who obtains the embedded token can impersonate or seize control of AD-integrated accounts within the affected analytics deployments, resulting in high impact to confidentiality and integrity. The vulnerability does not affect availability and is limited to on-premise installations that have not been upgraded past the 6130 release threshold.

Official advisories published by ManageEngine and Zoho at the referenced URLs direct administrators to apply the 6130 or later builds to eliminate the hardcoded token. The associated EPSS scores remain low, with a current value of 0.0132 and a recorded peak of 0.0226.

EU & UK References

Vulnerability details

Zohocorp's ManageEngine Analytics Plus and Zoho Analytics on-premise versions older than 6130 are vulnerable to an AD only account takeover because of a hardcoded sensitive token.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.002 Domain Accounts Stealth
Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Hardcoded token enables remote AD account takeover (T1078.002 Domain Accounts) via network-accessible on-premise analytics application (T1190 Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-42890Shared CWE-798
CVE-2020-36911Shared CWE-798
CVE-2026-35503Shared CWE-798
CVE-2017-20234Shared CWE-798
CVE-2026-32834Shared CWE-798
CVE-2026-27073Shared CWE-798
CVE-2026-30701Shared CWE-798
CVE-2025-10850Shared CWE-798
CVE-2024-50688Shared CWE-798
CVE-2026-25202Shared CWE-798

Affected Assets

Manageengine
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the hardcoded sensitive token vulnerability by requiring timely identification, reporting, and patching to version 6130 or later.

prevent

Prohibits and manages authenticators such as hardcoded tokens to prevent their use in AD authentication, directly addressing CWE-798.

prevent

Enforces account management practices like disabling unused AD-only accounts or restricting their privileges to mitigate takeover impacts.

References