ManageEngine Critical Vulnerability - 20250610001

Overview

The WA SOC has been made aware of a critical vulnerability in ManageEngine Exchange Reporter Plus that permits remote code execution. Successful exploitation could allow attackers to execute custom arbitrary commands on target servers.

What is vulnerable?

Product(s) Affected	Version(s)	CVE	CVSS	Severity
ManageEngine Exchange Reporter Plus	All builds prior to 5722	CVE-2025-3835	9.6	Critical

What has been observed?

The WA SOC has not received any reports of exploitaiton of this vulnerability on Western Australian Government networks at the time of writing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer Patch Management):

• ManageEngine: https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-3835.html

Additional References

• SecurityOnline: https://securityonline.info/critical-9-6-cvss-rce-manageengine-exchange-reporter-plus-vulnerability-discovered/