CVE-2025-36528 is a high-severity vulnerability identified in ManageEngine ADAudit Plus, a widely used IT auditing and compliance software developed by Zoho Corporation. The vulnerability is classified as CWE-89, which corresponds to improper neutralization of special elements used in SQL commands, commonly known as SQL Injection. Specifically, this vulnerability affects versions 8510 and prior of ADAudit Plus and is located in the Service Account Auditing reports functionality. An authenticated attacker with at least low privileges (PR:L) can exploit this flaw remotely (AV:N) without requiring user interaction (UI:N). By injecting malicious SQL code into the vulnerable input fields, the attacker can manipulate backend database queries, leading to unauthorized disclosure (C:H), modification (I:H) of sensitive data, and limited disruption of service availability (A:L). The vulnerability has a CVSS v3.1 base score of 8.3, indicating a high impact. Although no public exploits have been reported in the wild yet, the ease of exploitation combined with the criticality of the data handled by ADAudit Plus makes this a significant threat. The vulnerability arises from insufficient input validation and sanitization in the SQL queries used to generate Service Account Auditing reports, allowing attackers to execute arbitrary SQL commands within the database context. This can lead to data leakage of sensitive audit logs, unauthorized changes to audit configurations, or partial denial of service by corrupting database entries. Given ADAudit Plus’s role in monitoring Active Directory environments and compliance auditing, exploitation could severely undermine organizational security monitoring and incident response capabilities.

For European organizations, the impact of CVE-2025-36528 could be substantial. ADAudit Plus is commonly deployed in enterprises for Active Directory auditing, compliance reporting, and security monitoring. Successful exploitation could lead to unauthorized access to sensitive audit logs containing user activity, system changes, and security events, compromising confidentiality. Integrity of audit data could be undermined, allowing attackers to cover tracks or falsify logs, which is particularly damaging for organizations subject to strict regulatory requirements such as GDPR, NIS Directive, and other European data protection laws. Availability impact is limited but could disrupt auditing functions temporarily. The breach of audit data and potential manipulation of configurations could delay detection of insider threats or external intrusions, increasing risk exposure. Organizations in sectors with high compliance demands—such as finance, healthcare, government, and critical infrastructure—would be especially vulnerable. Additionally, the vulnerability requires authentication, so insider threats or compromised credentials could be leveraged to exploit this flaw, emphasizing the need for robust internal access controls and monitoring. The lack of known exploits in the wild provides a window for proactive mitigation, but the high CVSS score and critical nature of the data involved necessitate urgent attention.

To mitigate CVE-2025-36528, European organizations should immediately upgrade ADAudit Plus to a patched version once released by Zoho Corporation. Until a patch is available, organizations should implement strict access controls to limit who can authenticate and access the Service Account Auditing reports feature, ideally restricting it to trusted administrators only. Employ network segmentation and firewall rules to limit exposure of the ADAudit Plus management interface to trusted networks and users. Enable and monitor detailed logging of all access to the auditing reports to detect anomalous or unauthorized activities. Conduct regular credential audits and enforce strong authentication mechanisms, such as multi-factor authentication, to reduce the risk of credential compromise. Additionally, organizations should review and harden database permissions to ensure the ADAudit Plus service account has the minimum necessary privileges, limiting potential damage from SQL injection exploitation. Security teams should prepare incident response plans specific to audit log integrity and confidentiality breaches. Finally, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting ADAudit Plus interfaces as an interim protective measure.