CVE-2025-7633 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, found in Zohocorp ManageEngine Exchange Reporter Plus versions 5723 and earlier. The vulnerability exists in the Custom report functionality, where user-supplied input is not properly sanitized or neutralized before being embedded into web pages. This improper input handling allows an attacker with limited privileges (PR:L) to inject malicious JavaScript code that is stored persistently and executed in the context of other users who view the affected reports. The attack vector is network-based (AV:N), requiring the attacker to have some level of authenticated access and user interaction (UI:R) to trigger the malicious payload. The vulnerability impacts confidentiality and integrity (C:H/I:H) but does not affect availability (A:N). Although no exploits are currently known in the wild, the vulnerability poses a significant risk because it can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of legitimate users. The CVSS 3.1 base score of 7.3 reflects a high severity rating, driven by the ease of exploitation over the network with low attack complexity and the potential for significant data compromise. The vulnerability was reserved in July 2025 and published in November 2025, with no patch links currently available, indicating that organizations should prioritize mitigation and monitoring until an official fix is released.

For European organizations, this vulnerability presents a critical risk to the confidentiality and integrity of sensitive email reporting data managed through Exchange Reporter Plus. Attackers exploiting this flaw could execute malicious scripts in the context of authenticated users, potentially leading to credential theft, unauthorized access to Exchange reporting data, or lateral movement within the network. This is particularly concerning for organizations that rely heavily on ManageEngine products for monitoring and compliance reporting of Microsoft Exchange environments, such as financial institutions, government agencies, and large enterprises. The stored nature of the XSS increases the risk as malicious payloads persist and affect multiple users over time. The lack of availability impact means systems remain operational but compromised, making detection more difficult. Additionally, the requirement for some level of privilege and user interaction limits exploitation to insider threats or targeted attacks, but the high impact on confidentiality and integrity justifies urgent attention. The absence of known exploits in the wild provides a window for proactive defense, but the vulnerability’s presence in widely used enterprise software underscores the need for immediate risk assessment and mitigation.

1. Immediately restrict the ability to create or modify Custom reports to only highly trusted and trained administrators to reduce the attack surface. 2. Implement strict input validation and output encoding on all user-supplied data within the Custom report feature to prevent injection of malicious scripts. 3. Deploy Content Security Policies (CSP) that limit the execution of inline scripts and restrict sources of executable code in the Exchange Reporter Plus web interface. 4. Monitor logs and user activities for unusual report creation or modification patterns that could indicate exploitation attempts. 5. Until an official patch is released by Zohocorp, consider isolating the Exchange Reporter Plus server from less trusted networks and enforce multi-factor authentication for all users with report creation privileges. 6. Regularly review and update web application firewall (WAF) rules to detect and block XSS payloads targeting this vulnerability. 7. Educate users about the risks of interacting with untrusted reports and encourage reporting of suspicious behavior. 8. Once available, promptly apply vendor patches and verify remediation through security testing.