Skip to main content
CVE Vulnerability Database

CVE-2025-1724: Zoho Analytics Auth Bypass Vulnerability

CVE-2025-1724 is an authentication bypass flaw in ManageEngine Analytics Plus and Zoho Analytics caused by a hardcoded token. Attackers can exploit this to take over AD accounts. Learn about affected versions and fixes.

Published:

CVE-2025-1724 Overview

CVE-2025-1724 is a high-severity vulnerability affecting Zohocorp's ManageEngine Analytics Plus and Zoho Analytics on-premise installations. The vulnerability stems from a hardcoded sensitive token that enables Active Directory (AD) only account takeover attacks. Organizations running versions older than 6130 are at risk of unauthorized account compromise, potentially allowing attackers to gain control of AD-integrated user accounts without proper authentication.

Critical Impact

Attackers can exploit the hardcoded token to take over AD-only accounts, potentially gaining unauthorized access to sensitive analytics data, dashboards, and administrative functions within affected ManageEngine Analytics Plus and Zoho Analytics deployments.

Affected Products

  • Zohocorp ManageEngine Analytics Plus versions older than 6130
  • Zoho Analytics On-Premise versions older than 6130
  • AD-integrated deployments using affected versions

Discovery Timeline

  • 2025-03-17 - CVE-2025-1724 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-1724

Vulnerability Analysis

This vulnerability is classified under CWE-798 (Use of Hard-coded Credentials), representing a significant authentication weakness in the affected analytics platforms. The presence of a hardcoded sensitive token within the application code creates a static attack surface that can be exploited across all vulnerable installations. Unlike dynamically generated tokens, hardcoded credentials remain constant, meaning once discovered, they can be leveraged against any unpatched system.

The attack requires network access but does not require prior authentication or user interaction. The complexity is considered high due to the specific conditions required for exploitation, primarily targeting AD-integrated environments. Successful exploitation compromises both confidentiality and integrity of user accounts, though availability remains unaffected.

Root Cause

The root cause of CVE-2025-1724 lies in the improper use of a hardcoded sensitive token within the authentication mechanism for AD-integrated accounts. During the development or integration process, a static token was embedded directly in the application code rather than being dynamically generated or securely managed through proper secrets management practices. This hardcoded token is accessible to attackers who can reverse engineer the application or obtain the token through code analysis, enabling them to bypass normal authentication flows for AD-only accounts.

Attack Vector

The attack vector is network-based, allowing remote exploitation without requiring local access to the target system. An attacker with knowledge of the hardcoded token can craft authentication requests targeting the AD account integration functionality. The exploitation path involves:

  1. Identifying vulnerable ManageEngine Analytics Plus or Zoho Analytics On-Premise installations (versions prior to 6130)
  2. Extracting or utilizing the known hardcoded token value
  3. Sending specially crafted authentication requests leveraging the token
  4. Gaining unauthorized access to AD-only user accounts

The vulnerability specifically affects AD-integrated authentication flows, meaning organizations using local-only authentication may have reduced exposure.

Detection Methods for CVE-2025-1724

Indicators of Compromise

  • Unusual authentication attempts to AD-integrated accounts from unexpected IP addresses or geographic locations
  • Authentication log entries showing successful logins without corresponding AD domain controller authentication events
  • Anomalous session creation patterns for AD-only user accounts
  • Unauthorized access to analytics dashboards or reports by accounts that should not have access

Detection Strategies

  • Implement monitoring for authentication anomalies specifically targeting AD-only account logins
  • Cross-reference application authentication logs with Active Directory event logs to identify discrepancies
  • Deploy network traffic analysis to detect unusual patterns in analytics platform authentication flows
  • Configure SIEM rules to alert on multiple successful authentications from different source IPs for the same AD account

Monitoring Recommendations

  • Enable verbose logging for authentication events in ManageEngine Analytics Plus and Zoho Analytics
  • Implement real-time alerting for privileged account access and administrative actions
  • Monitor for unauthorized data exports or dashboard modifications following authentication events
  • Establish baseline behavior patterns for AD-integrated account usage to detect deviations

How to Mitigate CVE-2025-1724

Immediate Actions Required

  • Upgrade ManageEngine Analytics Plus and Zoho Analytics On-Premise installations to version 6130 or later immediately
  • Audit all AD-integrated accounts for unauthorized access or suspicious activity following any detected exploitation
  • Review authentication logs for signs of compromise prior to patching
  • Consider temporarily disabling AD integration until patching is complete in high-risk environments

Patch Information

Zohocorp has addressed this vulnerability in version 6130 and later releases of both ManageEngine Analytics Plus and Zoho Analytics On-Premise. Organizations should apply the latest available updates through their standard upgrade procedures. For detailed patching instructions, refer to the official advisories from ManageEngine and Zoho.

Workarounds

  • Restrict network access to the analytics platform to trusted IP ranges and internal networks only
  • Implement additional authentication layers such as multi-factor authentication (MFA) for all AD-integrated accounts
  • Monitor and log all authentication attempts with enhanced detail for forensic analysis
  • Consider temporarily switching to local authentication until the patch can be applied in production environments
bash
# Network access restriction example (firewall rule)
# Restrict access to ManageEngine Analytics Plus to internal network only
iptables -A INPUT -p tcp --dport 8443 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.