CVE-2025-7632 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 affecting Zohocorp's ManageEngine Exchange Reporter Plus software, versions 5723 and earlier. The flaw exists in the Public Folders report component where user-supplied input is not properly sanitized or neutralized before being embedded in web pages generated by the application. This improper input handling enables attackers with low privileges to inject malicious scripts that are stored persistently and executed in the browsers of users who view the affected report. The vulnerability requires user interaction, such as viewing the compromised report, to trigger script execution. The CVSS v3.1 base score is 7.3, reflecting a high severity due to the network attack vector, low attack complexity, requirement for low privileges, and user interaction. The impact includes high confidentiality and integrity loss, as attackers can steal session tokens, perform actions on behalf of users, or manipulate data displayed in the application. Availability is not impacted. No patches or exploits are currently publicly available, but the vulnerability is officially published and reserved since mid-2025. This vulnerability is critical for organizations relying on ManageEngine Exchange Reporter Plus for Exchange server monitoring and reporting, as it can facilitate lateral movement, data theft, or persistent footholds within enterprise environments.

The vulnerability poses a significant risk to organizations using ManageEngine Exchange Reporter Plus, potentially allowing attackers to execute arbitrary JavaScript in the context of authenticated users. This can lead to theft of sensitive information such as session cookies, credentials, or internal data, unauthorized actions within the application, and manipulation of report data integrity. Since the vulnerability is stored XSS, it can persistently affect multiple users, increasing the attack surface. The requirement for low privileges and user interaction lowers the barrier for exploitation, making phishing or social engineering viable attack vectors. While availability is unaffected, the confidentiality and integrity impacts can lead to broader compromise of enterprise networks, especially in environments where Exchange Reporter Plus is integrated with other management tools. The absence of known exploits currently provides a window for remediation, but the high CVSS score indicates a critical need for proactive defense.

Organizations should immediately inventory their ManageEngine Exchange Reporter Plus deployments to identify affected versions (5723 and below). Until an official patch is released, implement strict input validation and output encoding on all user-supplied data, particularly in the Public Folders report feature. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce XSS impact. Limit user privileges to the minimum necessary to reduce exploitation scope. Educate users to be cautious when interacting with reports or links from untrusted sources. Monitor logs for unusual activity related to the reporting module. Once a patch is available, prioritize its deployment across all affected systems. Additionally, consider isolating the reporting tool within segmented network zones to limit lateral movement in case of compromise. Regularly update and audit web application security configurations to detect and prevent similar vulnerabilities.