CVE-2025-7633 is a stored Cross-site Scripting (XSS) vulnerability identified in Zohocorp's ManageEngine Exchange Reporter Plus product, specifically in versions 5723 and earlier. The vulnerability is classified under CWE-79, which involves improper neutralization of input during web page generation. The flaw exists in the Custom report functionality, where user-supplied input is not properly sanitized or encoded before being rendered in the web interface. This allows an attacker with limited privileges (PR:L) to inject malicious JavaScript code that is stored on the server and executed in the browsers of users who view the compromised report. Exploitation requires user interaction (UI:R), such as an authenticated user opening the malicious report, but does not require elevated privileges beyond limited user rights. The CVSS v3.1 base score is 7.3, reflecting a high severity due to the network attack vector (AV:N), low attack complexity (AC:L), and high impact on confidentiality and integrity (C:H/I:H), though availability is not affected (A:N). The vulnerability could enable attackers to steal sensitive information, hijack user sessions, or perform actions on behalf of the victim within the application context. Currently, no public exploits have been reported in the wild, and no patches are linked yet, indicating the need for vigilance and proactive mitigation. The vulnerability affects organizations using ManageEngine Exchange Reporter Plus for monitoring and reporting on Microsoft Exchange environments, a critical component in many enterprise IT infrastructures.

The impact of CVE-2025-7633 is significant for organizations using ManageEngine Exchange Reporter Plus, as it allows attackers to execute arbitrary scripts in the context of authenticated users. This can lead to theft of sensitive data such as credentials, session tokens, or other confidential information accessible through the application. Additionally, attackers may perform unauthorized actions on behalf of users, potentially leading to further compromise of the IT environment. Since the vulnerability is stored XSS, the malicious payload persists on the server and can affect multiple users, increasing the attack surface. The requirement for user interaction and limited privileges reduces the ease of exploitation somewhat, but the low attack complexity and network accessibility make it a realistic threat. Enterprises relying on this product for Exchange server reporting and monitoring, especially those with large user bases, face risks of data breaches, compliance violations, and operational disruptions. The absence of known exploits in the wild currently offers a window for remediation before widespread attacks occur.

Organizations should immediately inventory their deployments of ManageEngine Exchange Reporter Plus and identify versions 5723 and below. Until an official patch is released, implement strict input validation and output encoding on all user-supplied data in the Custom report feature to prevent script injection. Restrict access to the reporting interface to trusted users and networks, and enforce the principle of least privilege to limit potential attackers' capabilities. Monitor logs for unusual activity or attempts to inject scripts. Educate users about the risks of opening untrusted reports or links within the application. Once a patch is available, apply it promptly and verify remediation through security testing. Additionally, consider deploying web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the affected endpoints. Regularly update and audit security controls to reduce the attack surface and improve detection capabilities.