CVE-2022-25245: ManageEngine Asset Explorer Information Leakage

Raxis lead penetration tester Matt Dunn discovers an information leakage vulnerability in ManageEngine’s Asset Explorer CVE-2022-25245

Categories:

Posted on

By

CVE-2022-25245: ManageEngine Asset Explorer Information Leakage

I’m Matt Dunn, a lead penetration tester at Raxis. Recently, I discovered an information leakage in ManageEngine Asset Explorer. This is a relatively minor information leakage, as it only leaks the currency that a current vendor uses. Though minor, it could lead to other inferred information such as vendor location based on their currency.

Proof of Concept

The information leakage occurs in the AJaxDomainServlet when given the action of getVendorCurrency. This servlet action does not require authentication, allowing a user to obtain a vendor’s currency with a GET request to a URL similar to the following:

http://192.168.148.128:8011/domainServlet/AJaxDomainServlet?action=getVendorCurrency&vendorId=3

In this example URL, we request the currency for the vendor with the specified vendorId. If the vendor doesn’t have an assigned currency, the dollar symbol is returned. If it does, the vendor’s specific currency identifier is returned, as shown here:

Vendor Currency Revealed in Unauthenticated Request
Affected Versions

Raxis discovered this vulnerability on Manage Engine Asset Explorer Plus 6.9 Build 6970.

Remediation

Upgrade ManageEngine Asset Explorer to Version 6.9 Build 6971 or later, which can be found here:

Disclosure Timeline
  • February 14, 2022 – Vulnerability reported to Zoho
  • February 15, 2022 – Zoho begins investigation into report
  • February 16, 2022 CVE-2022-25245 is assigned to this vulnerability
  • March 9, 2022 – Zoho releases fixed version 6.9 Build 6971
CVE Links

 

Ready to See Raxis One In Action?

See how we transform traditional pen testing into interactive security intelligence that keeps you informed every step of the way. From real-time attack progression to detailed remediation guidance, Raxis One gives you unprecedented visibility into your security posture as it’s being tested.

More From Raxis

  • Microsoft Releases Security Patch for Actively Exploited On-Premises SharePoint Vulnerabilities

    Microsoft Releases Security Patch for Actively Exploited On-Premises SharePoint Vulnerabilities

    By Jason Taylor • July 22, 2025
  • OWASP Top 10 for LLM Applications

    OWASP Top 10 for LLM Applications Penetration Testing

    By Jason Taylor • July 15, 2025
  • Wireless Series: Using Wifite to Capture and Crack a WPA2 Pre-Shared Key

    Wireless Series: Using Wifite to Capture and Crack a WPA2 Pre-Shared Key for Penetration Testing

    By Scottie Cole • June 17, 2025
  • Jailbreak Journey: Transforming an iPad for Mobile App Penetration Testing

    Jailbreak Journey: Transforming an iPad for Mobile App Penetration Testing

    By Jason Taylor • June 3, 2025