CVE-2025-11670 is a vulnerability identified in Zohocorp's ManageEngine ADManager Plus, a widely used Active Directory management tool. The flaw involves the exposure of NTLM hashes, which are sensitive authentication credentials, to unauthorized actors. Specifically, the vulnerability is classified under CWE-200, indicating exposure of sensitive information. The exploit requires that the attacker be a technician with the 'Impersonate as Admin' option enabled, meaning the attacker must already have some level of privileged access within the system. The vulnerability does not require user interaction and can be exploited remotely (AV:N), with low attack complexity (AC:L). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially compromised component. The CVSS 3.1 base score is 6.4, reflecting a medium severity level primarily due to the confidentiality impact (C:L), with limited integrity impact (I:L) and no availability impact (A:N). Although no known exploits are currently reported in the wild, the exposure of NTLM hashes is critical because these hashes can be used in pass-the-hash attacks or to escalate privileges further within a network. The vulnerability affects all versions before 8025 of ADManager Plus, but no official patch links have been provided yet. Organizations using this product should be aware that technicians with impersonation privileges represent a potential attack vector if their accounts are compromised or misused.

For European organizations, the exposure of NTLM hashes can lead to significant security risks, especially in environments heavily reliant on Active Directory for identity and access management. Attackers gaining access to these hashes could perform lateral movement, privilege escalation, or persistent access within corporate networks. This is particularly concerning for sectors such as finance, government, healthcare, and critical infrastructure, where Active Directory is a cornerstone of IT operations. The requirement for the attacker to have impersonation privileges limits the risk to insider threats or compromised privileged accounts, but the potential damage from such an exploit remains high. The confidentiality breach could lead to data theft, unauthorized access to sensitive systems, and disruption of business operations. Given the interconnected nature of European enterprises and regulatory requirements like GDPR, exposure of sensitive credentials could also result in compliance violations and reputational damage.

European organizations should immediately review and restrict the 'Impersonate as Admin' privilege within ManageEngine ADManager Plus to only the most trusted and necessary personnel. Implement strict access controls and monitoring on accounts with impersonation rights to detect any unusual activity. Employ network segmentation and least privilege principles to limit the scope of potential exploitation. Regularly audit Active Directory and related management tools for misconfigurations or excessive privileges. Since no patch is currently linked, organizations should engage with Zohocorp support for updates or workarounds and apply patches promptly once available. Additionally, consider deploying multi-factor authentication (MFA) for privileged accounts and enhancing logging and alerting mechanisms to detect attempts to access or export NTLM hashes. Conduct internal security awareness training to mitigate insider threats and ensure technicians understand the risks associated with privilege misuse.