CVE-2025-9787 is a stored Cross-Site Scripting (XSS) vulnerability identified in Zohocorp's ManageEngine Applications Manager, versions 177400 and earlier. The flaw exists in the Network Operations Center (NOC) view, where user-supplied input is improperly sanitized before being embedded in web pages, violating CWE-79 standards for input neutralization. This improper handling allows an attacker with high privileges (PR:H) to inject malicious scripts that are stored and later executed in the context of other users who view the affected page, requiring user interaction (UI:R) to trigger. The vulnerability has a CVSS 3.1 base score of 6.1, indicating medium severity. The attack vector is network-based (AV:N), with low complexity (AC:L), but requires authentication and user interaction, limiting exploitation scope. Successful exploitation can compromise confidentiality and integrity by stealing session tokens, credentials, or performing unauthorized actions on behalf of users. No availability impact is noted. No public exploits are currently known, but the vulnerability poses a significant risk in environments where ManageEngine Applications Manager is used for critical monitoring and management tasks. The absence of a patch at the time of disclosure necessitates immediate mitigation efforts.

The vulnerability allows attackers with legitimate high-level access to inject persistent malicious scripts into the NOC view, potentially compromising the confidentiality and integrity of sensitive monitoring data and user sessions. This can lead to unauthorized access, data theft, session hijacking, or manipulation of monitoring outputs, undermining trust in the management platform. Although availability is not directly affected, the indirect consequences of compromised integrity and confidentiality can disrupt operational decision-making and incident response. Organizations relying on ManageEngine Applications Manager for critical infrastructure monitoring or IT service management are at risk of targeted attacks that exploit this vulnerability to escalate privileges or move laterally within networks. The requirement for authentication and user interaction reduces the likelihood of widespread automated exploitation but does not eliminate risk in environments with multiple administrators or users with elevated privileges.

Until an official patch is released, organizations should implement strict input validation and sanitization on all user inputs within the NOC view, employing server-side filtering to neutralize potentially malicious scripts. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Limit the number of users with high privileges and enforce the principle of least privilege to reduce the attack surface. Monitor logs for unusual activity indicative of attempted script injection or exploitation attempts. Educate administrators and users about the risks of clicking on suspicious links or interacting with untrusted content within the management console. Once available, promptly apply vendor-supplied patches or updates. Consider isolating the management application in a segmented network zone with restricted access to minimize exposure. Employ web application firewalls (WAFs) with rules targeting XSS payloads as an additional protective layer.