CVE-2025-7633 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in Zohocorp's ManageEngine Exchange Reporter Plus product, specifically in versions 5723 and earlier. The vulnerability exists due to improper neutralization of user-supplied input during the generation of custom reports, which allows an attacker with limited privileges (PR:L) to inject malicious JavaScript code that is stored persistently within the application. When other users view the affected custom report, the malicious script executes in their browsers, potentially compromising their session, stealing sensitive information, or performing actions on their behalf. The CVSS v3.1 base score is 7.3, indicating a high severity level, with the vector AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N. This means the attack can be launched remotely over the network with low attack complexity, requires some level of privileges, and user interaction is necessary (e.g., viewing the malicious report). The vulnerability impacts confidentiality and integrity significantly but does not affect availability. There are no known exploits in the wild at the time of publication (November 2025). The lack of an official patch link suggests that a fix may be pending or recently released. The vulnerability is critical for organizations relying on ManageEngine Exchange Reporter Plus for monitoring Microsoft Exchange environments, as it could lead to unauthorized data access or manipulation through client-side script execution.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive email and reporting data managed through ManageEngine Exchange Reporter Plus. Successful exploitation could enable attackers to steal session tokens, credentials, or sensitive report data, potentially leading to broader network compromise or data breaches. Since the product is used to monitor Exchange servers, which are critical communication infrastructure, the impact could extend to disruption of business operations and loss of trust. The requirement for limited privileges and user interaction reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks, especially in environments where users have elevated access to the reporting tool. Organizations in sectors such as finance, healthcare, government, and critical infrastructure in Europe are particularly at risk due to the sensitivity of their email communications and regulatory requirements around data protection (e.g., GDPR).

1. Apply official patches or updates from Zohocorp as soon as they become available to address CVE-2025-7633. 2. Until patches are applied, restrict access to the ManageEngine Exchange Reporter Plus application, especially limiting the ability to create or view custom reports to trusted administrators only. 3. Implement strict input validation and output encoding on all user-supplied data within the application, particularly in custom report fields, to prevent script injection. 4. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting the execution of unauthorized scripts. 5. Conduct regular security audits and penetration testing focused on web application vulnerabilities within the reporting tool. 6. Educate users about the risks of interacting with untrusted reports or links within the application. 7. Monitor logs for unusual activity related to report creation or viewing that could indicate exploitation attempts. 8. Consider network segmentation and application-level firewalls to limit exposure of the reporting tool to only necessary users and systems.