CVE-2025-41437 - OpenCVE

Zohocorp ManageEngine OpManager, NetFlow Analyzer, Network Configuration Manager, Firewall Analyzer and OpUtils versions 128565 and below are vulnerable to Reflected XSS on the login page.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://www.manageengine.com/itom/advisory/cve-2025-41437.html

History

Fri, 11 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00031}`	epss `{'score': 0.00034}`

Mon, 09 Jun 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Jun 2025 11:00:00 +0000

Type	Values Removed	Values Added
Description		Zohocorp ManageEngine OpManager, NetFlow Analyzer, Network Configuration Manager, Firewall Analyzer and OpUtils versions 128565 and below are vulnerable to Reflected XSS on the login page.
Title		Reflected XSS
Weaknesses		CWE-79
References		https://www.manageengine.com/itom/advisory/cve-2025-41437.html
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Zohocorp

Published: 2025-06-09T10:44:08.879Z

Updated: 2025-06-09T16:22:33.279Z

Reserved: 2025-04-21T10:22:18.137Z

Link: CVE-2025-41437

Vulnrichment

Updated: 2025-06-09T16:22:27.258Z

NVD

Status : Awaiting Analysis

Published: 2025-06-09T11:15:22.053

Modified: 2025-06-09T12:15:47.880

Link: CVE-2025-41437

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-41437", "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "state": "PUBLISHED", "assignerShortName": "Zohocorp", "dateReserved": "2025-04-21T10:22:18.137Z", "datePublished": "2025-06-09T10:44:08.879Z", "dateUpdated": "2025-06-09T16:22:33.279Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpManager", "vendor": "ManageEngine", "versions": [{"lessThan": "128566", "status": "affected", "version": "0", "versionType": "128566"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Andrey Alekseev (Positive Technologies)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Zohocorp ManageEngine <span style=\"background-color: rgb(255, 255, 255);\">OpManager, <span style=\"background-color: rgb(255, 255, 255);\">NetFlow Analyzer, <span style=\"background-color: rgb(255, 255, 255);\">Network Configuration Manager, <span style=\"background-color: rgb(255, 255, 255);\">Firewall Analyzer and <span style=\"background-color: rgb(255, 255, 255);\">OpUtils versions <span style=\"background-color: rgb(255, 255, 255);\">128565 and below are vulnerable to Reflected XSS on the login page.</span></span></span></span></span></span><br>"}], "value": "Zohocorp ManageEngine\u00a0OpManager,\u00a0NetFlow Analyzer,\u00a0Network Configuration Manager,\u00a0Firewall Analyzer and\u00a0OpUtils versions\u00a0128565 and below are vulnerable to Reflected XSS on the login page."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "shortName": "Zohocorp", "dateUpdated": "2025-06-09T10:44:08.879Z"}, "references": [{"url": "https://www.manageengine.com/itom/advisory/cve-2025-41437.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Reflected XSS", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-09T16:21:00.489016Z", "id": "CVE-2025-41437", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-09T16:22:33.279Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-41437", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-09T16:21:00.489016Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-09T16:22:27.258Z"}}], "cna": {"title": "Reflected XSS", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Andrey Alekseev (Positive Technologies)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ManageEngine", "product": "OpManager", "versions": [{"status": "affected", "version": "0", "lessThan": "128566", "versionType": "128566"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.manageengine.com/itom/advisory/cve-2025-41437.html"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine\u00a0OpManager,\u00a0NetFlow Analyzer,\u00a0Network Configuration Manager,\u00a0Firewall Analyzer and\u00a0OpUtils versions\u00a0128565 and below are vulnerable to Reflected XSS on the login page.", "supportingMedia": [{"type": "text/html", "value": "Zohocorp ManageEngine <span style=\"background-color: rgb(255, 255, 255);\">OpManager, <span style=\"background-color: rgb(255, 255, 255);\">NetFlow Analyzer, <span style=\"background-color: rgb(255, 255, 255);\">Network Configuration Manager, <span style=\"background-color: rgb(255, 255, 255);\">Firewall Analyzer and <span style=\"background-color: rgb(255, 255, 255);\">OpUtils versions <span style=\"background-color: rgb(255, 255, 255);\">128565 and below are vulnerable to Reflected XSS on the login page.</span></span></span></span></span></span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "shortName": "Zohocorp", "dateUpdated": "2025-06-09T10:44:08.879Z"}}}, "cveMetadata": {"cveId": "CVE-2025-41437", "state": "PUBLISHED", "dateUpdated": "2025-06-09T16:22:33.279Z", "dateReserved": "2025-04-21T10:22:18.137Z", "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02", "datePublished": "2025-06-09T10:44:08.879Z", "assignerShortName": "Zohocorp"}, "dataVersion": "5.1"}