Ddos 
ManageEngine has issued a critical security alert for ADSelfService Plus, its widely used self-service password management and single sign-on solution. The vendor has patched a high-severity vulnerability, tracked as CVE-2025-11250, which carries a CVSS score of 9.1.
The flaw affects all versions of the software on Builds 6518 and earlier. While specific technical details regarding the exploit vector have been kept under wraps, the “Critical” rating suggests that successful exploitation could have severe consequences for organizational security, potentially involving unauthorized access or system compromise.
The vulnerability was officially resolved in Build 6519, released on October 01, 2025.
Administrators are urged to upgrade their instances immediately. “Update your ADSelfService Plus instance to build 6519 using the service pack,” the advisory instructs.
The issue was identified internally rather than by an external researcher. ManageEngine credited the discovery to a report filed through the Zoho BugBounty program.
Given the sensitive nature of ADSelfService Plus—which interacts directly with Active Directory credentials—unpatched instances represent a significant risk. Organizations should prioritize this update to ensure their identity infrastructure remains secure.
Related Posts:
- CVE-2025-1723: Zoho Patches Account Takeover Vulnerability in ADSelfService Plus
- CVE-2024-0252 (CVSS 9.9): Zoho ManageEngine ADSelfService RCE Vulnerability
- ManageEngine Exchange Reporter Plus Remote Code Execution Vulnerability Alert
- Zoho ManageEngine Desktop Central Authentication Bypass Vulnerability Alert
Donate