Introduction
Authenticated users of ManageEngine ADManager Plus could execute arbitrary operating system commands on the server due to a critical flaw in the Custom Script component. This vulnerability, tracked as CVE-2025-10020, affects all versions before Build 8025 and enables attackers to gain full control over the application server if exploited.
About ManageEngine and ADManager Plus:
ManageEngine, a division of Zoho Corporation, is a major provider of IT management and security solutions with a global customer base. ADManager Plus is a widely used Active Directory management and reporting tool in enterprise environments, offering automation and delegation features for identity and access management. Its broad deployment means vulnerabilities can have significant impact across industries.
Technical Information
CVE-2025-10020 is an authenticated command injection vulnerability in the Custom Script component of ManageEngine ADManager Plus. The flaw is present in all versions prior to Build 8025. The vulnerability arises from improper input validation (CWE-77: Improper Neutralization of Special Elements used in a Command) within the Custom Script functionality. Authenticated users with access to this feature can provide specially crafted input that is directly incorporated into system command execution without sufficient sanitization. As a result, arbitrary commands can be executed with the privileges of the ADManager Plus service account.
The Custom Script component is intended to allow administrators to automate tasks using user-defined scripts. However, the lack of proper input handling means that any input parameters passed to these scripts could be manipulated to inject additional commands. This could lead to remote code execution, data theft, privilege escalation, or lateral movement within the network. The vulnerability is only exploitable by authenticated users, but in environments where multiple technicians or delegated administrators have access, the risk of credential compromise or insider abuse is significant.
No public code snippets or proof of concept details are available at this time. The root cause is the direct use of unsanitized user input in command execution APIs or shell invocations within the Custom Script component.
Patch Information
To address the authenticated command injection vulnerability identified in the custom scripts component of ADManager Plus (CVE-2025-10020), the development team has released Build 8025. This update rectifies the improper handling of user inputs within custom scripts, which previously allowed authenticated users to execute arbitrary commands on the server, potentially leading to remote code execution (RCE). By upgrading to Build 8025, the application now properly sanitizes and validates inputs, effectively mitigating this security risk. Users are strongly advised to apply this update promptly to ensure the integrity and security of their systems.
References:
- https://www.manageengine.com/products/ad-manager/release-notes.html
- https://www.manageengine.jp/support/kb/ADManager_Plus/?p=6166
Affected Systems and Versions
- Product: ManageEngine ADManager Plus
- Affected versions: All versions before Build 8025
- Vulnerable component: Custom Script functionality
- Only installations that allow authenticated users to create or execute custom scripts are directly exposed
Vendor Security History
ManageEngine has previously addressed several high-severity vulnerabilities in its products:
- CVE-2021-42002: Authentication bypass in ADManager Plus, allowing remote code execution
- CVE-2021-28960: Unauthenticated command injection in Desktop Central
The vendor typically releases patches and advisories in a timely manner, but recurring command injection issues indicate persistent challenges in secure input handling across products.