Critical Zoho Analytics Plus Flaw (CVE-2025-8324, CVSS 9.8) Allows Unauthenticated SQL Injection and Data Takeover
Ddos 
Zoho Corporation has released an urgent security advisory addressing a critical severity SQL injection vulnerability affecting Analytics Plus on-premise installations. Tracked as CVE-2025-8324 with a CVSS score of 9.8, the flaw allows unauthenticated remote attackers to execute arbitrary SQL queries, leading to unauthorized data exposure and, in severe cases, account takeover.
According to the security advisory, “An unauthenticated SQL injection vulnerability (CVE-2025-8324) has been identified in Analytics Plus on-premise. This vulnerability could allow attackers to execute arbitrary SQL queries due to insufficient input validation.”
The vulnerability affects all Analytics Plus on-premise builds below 6170, with Zoho providing a fix in Build 6171.
Zoho warns that exploitation of this vulnerability can lead to serious data compromise.
“This vulnerability could lead to the unauthorized exposure of user information, potentially resulting in account takeovers.”
Because the flaw is unauthenticated, attackers do not need valid credentials to launch the attack — significantly increasing risk for any exposed or improperly segmented deployments.
Analytics Plus is used widely for enterprise analytics, BI dashboards, and data processing workflows, making this vulnerability particularly damaging when integrated into sensitive environments.
The advisory attributes the flaw to insecure handling of user-supplied parameters in specific URLs tied to the Analytics Plus backend. Zoho confirmed that the issue was patched by tightening validation and removing the faulty components.
Given how SQL injection vulnerabilities are commonly used to exfiltrate database contents, alter data, or escalate privileges, organizations should treat CVE-2025-8324 as a high-priority risk.
Zoho instructs all on-premise customers to update immediately.
Steps to remediate include:
- Downloading the latest upgrade pack from the official service pack page.
- Following the upgrade instructions provided on that page.
Donate