ManageEngine Exchange Reporter Plus Vulnerability Allows Remote Code Execution

A severe security vulnerability has been identified in ManageEngine Exchange Reporter Plus that could allow attackers to execute arbitrary commands on target servers. 

Designated as CVE-2025-3835, this critical remote code execution vulnerability affects all Exchange Reporter Plus installations with build 5721 and below. 

ManageEngine has responded swiftly by releasing a patch in build 5722 on May 29, 2025. 

Security experts are urging all organizations using the affected software to update immediately, as exploitation could lead to complete system compromise and potential data breaches across enterprise environments.

Exchange Reporter Plus RCE Flaw

The security flaw, identified as CVE-2025-3835, specifically targets the Content Search module within Exchange Reporter Plus. 

This critical vulnerability enables malicious actors to inject and execute unauthorized code on systems running the affected software versions. 

The Content Search component, which is designed to help administrators search through Exchange Server content, contains an input validation flaw that fails to properly sanitize user-supplied parameters. 

This vulnerability represents a particularly dangerous attack vector as it potentially grants attackers system-level privileges on compromised servers.

The technical exploit methodology involves sending specially crafted HTTP requests to the vulnerable Content Search endpoint. Once successfully exploited, attackers can execute arbitrary system commands using the following pattern:

When executed, this payload bypasses input validation controls and runs with the same privileges as the Exchange Reporter Plus service account, which typically has elevated system permissions.

This vulnerability is categorized as critical due to its potential for complete system compromise. Once exploited, attackers gain the ability to execute arbitrary code with the same privileges as the application service account. 

This could enable threat actors to establish persistent access, move laterally within networks, exfiltrate sensitive data, or deploy additional malicious payloads such as ransomware.

Attack scenarios could include targeted campaigns against financial institutions, government agencies, and large enterprises where Exchange Server deployments are common. 

The vulnerability was responsibly disclosed by security researcher Ngockhanhc311 from FPT NightWolf, demonstrating the importance of collaborative security research in identifying and addressing critical vulnerabilities before widespread exploitation occurs.

Risk Factors	Details
Affected Products	ManageEngine Exchange Reporter Plus builds 5721 and earlier
Impact	Remote code execution
Exploit Prerequisites	Network accessibility to Content Search endpoint (TCP/8080) and ability to craft malicious HTTP POST requests
CVSS 3.1 Score	9.8 (Critical)

Mitigations

ManageEngine has addressed this vulnerability in build 5722, released on May 29, 2025. 

The fix implements proper input validation and sanitization in the Content Search module to prevent command injection attempts. 

The company strongly advises all customers to update immediately following these steps:

• Download the latest service pack from the official ManageEngine website.
• Apply the patch to existing installations following the documented procedure.
• Verify successful update by confirming the build number has changed to 5722 or higher.

For organizations unable to update immediately, temporary mitigation strategies include restricting network access to Exchange Reporter Plus instances, implementing additional network segmentation, and enhancing monitoring for suspicious activities targeting the vulnerable component.