CVE-2025-3444

Published: May 22, 2025Modified: Jun 17, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: 0fc0942c-577d-436f-ae8e-945763c79b02 (Secondary)

Description

Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is loaded.

Affected (6)

Products: Zohocorp: Manageengine Servicedesk Plus Msp, Manageengine Supportcenter Plus

Zohocorp

2 products

Manageengine Servicedesk Plus Msp

Manageengine Supportcenter Plus

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Zohocorp Manageengine Servicedesk Plus Msp	Up to 14.8
Zohocorp Manageengine Servicedesk Plus Msp	Version 14.9 14900
Zohocorp Manageengine Servicedesk Plus Msp	Version 14.9 14910
Zohocorp Manageengine Supportcenter Plus	Up to 14.8
Zohocorp Manageengine Supportcenter Plus	Version 14.9 14900
Zohocorp Manageengine Supportcenter Plus	Version 14.9 14910

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (1)

https://www.manageengine.com/products/service-desk-msp/cve-2025-3444.html

Source: 0fc0942c-577d-436f-ae8e-945763c79b02

Vendor Advisory

Timeline

No history available yet.