Cyber Resilience

CVE-2025-9223

HighRCE

Published: 11 November 2025

Published
11 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0336 87.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9223 is a high-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

Zohocorp ManageEngine Applications Manager versions 178100 and below are affected by an authenticated command injection vulnerability (CVE-2025-9223) caused by improper configuration of the execute program action feature. The flaw carries a CVSS 3.1 score of 8.8 and is categorized as CWE-77, enabling remote command execution with high impact on confidentiality, integrity, and availability.

An attacker with low-privileged authenticated access can exploit the issue over the network with low complexity and no user interaction, allowing arbitrary command execution on the target system.

The vendor advisory at https://www.manageengine.com/products/applications-manager/security-updates/security-updates-cve-2025-9223.html provides mitigation guidance, including available patches for the affected product versions.

The associated EPSS score has remained flat at 0.0336 with no material rise since disclosure.

EU & UK References

Vulnerability details

Zohocorp ManageEngine Applications Manager versions 178100 and below are vulnerable to authenticated command injection vulnerability due to the improper configuration in the execute program action feature.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Authenticated command injection in ManageEngine Applications Manager, a public-facing web application, enables remote code execution via exploitation of the vulnerable execute program action feature (T1190) and arbitrary command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-67397Shared CWE-77
CVE-2024-55030Shared CWE-77
CVE-2025-24818Shared CWE-77
CVE-2026-8431Shared CWE-77
CVE-2026-44869Shared CWE-77
CVE-2025-70093Shared CWE-77
CVE-2025-0593Shared CWE-77
CVE-2026-34259Shared CWE-77
CVE-2026-44866Shared CWE-77
CVE-2026-20163Shared CWE-77

Affected Assets

Zohocorp ManageEngine Applications Manager
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by validating and sanitizing user inputs to the execute program action feature.

prevent

Addresses the improper configuration in the execute program action feature by enforcing secure configuration settings.

prevent

Mitigates the vulnerability through timely patching as recommended in the ManageEngine security advisory.

References