CVE-2025-7429 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 that affects Zohocorp's ManageEngine Exchange Reporter Plus software, specifically versions 5723 and earlier. The vulnerability resides in the 'Mails Deleted or Moved' report functionality, where user-supplied input is not properly sanitized or neutralized before being stored and subsequently rendered in the web interface. This improper input handling allows an attacker with at least low-level privileges (PR:L) to inject malicious JavaScript code that is stored persistently on the server. When other users view the affected report, the malicious script executes in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions within the application context. The CVSS v3.1 base score of 7.3 reflects a network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) and user interaction (UI:R), with high impact on confidentiality and integrity (C:H/I:H) but no impact on availability (A:N). Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a significant threat, especially in environments where multiple users access the reporting interface. The vulnerability was reserved in July 2025 and published in November 2025, with no patch links currently available, indicating that organizations must monitor for vendor updates. The vulnerability's exploitation could allow attackers to bypass access controls and compromise sensitive Exchange reporting data, undermining organizational security and trust in the reporting system.

The impact of CVE-2025-7429 is substantial for organizations using ManageEngine Exchange Reporter Plus, as it enables attackers to execute arbitrary scripts in the context of authenticated users. This can lead to theft of session cookies, enabling account takeover, unauthorized access to sensitive Exchange reporting data, and potential lateral movement within the network. The confidentiality and integrity of user data are at high risk, while availability is not directly affected. Given that the vulnerability requires low privileges and user interaction, insider threats or compromised low-level accounts could be leveraged to escalate attacks. Organizations relying on this product for compliance, auditing, or operational monitoring may face data breaches, regulatory penalties, and reputational damage. The absence of known exploits in the wild currently provides a window for proactive mitigation, but the widespread use of ManageEngine products in enterprise environments worldwide increases the potential attack surface significantly.

To mitigate CVE-2025-7429, organizations should: 1) Monitor Zohocorp's official channels closely for patches or updates addressing this vulnerability and apply them promptly once available. 2) Until patches are released, restrict access to the 'Mails Deleted or Moved' report to trusted administrators only, minimizing exposure. 3) Implement web application firewall (WAF) rules to detect and block common XSS payloads targeting this specific report. 4) Conduct thorough input validation and output encoding on any user-supplied data within the reporting interface, if customization or scripting is possible. 5) Educate users about the risks of interacting with suspicious links or reports and enforce strong authentication and session management controls to limit the impact of potential session hijacking. 6) Review and audit logs for unusual activities related to the Exchange Reporter Plus application to detect early signs of exploitation attempts. 7) Consider network segmentation to isolate the reporting server from broader enterprise systems to contain potential breaches.