Zoho Corporation, known for its suite of business software, has disclosed a serious security flaw in its Analytics Plus tool.
This vulnerability, tracked as CVE-2025-8324, allows unauthenticated attackers to inject malicious SQL code into the system.
Discovered in on-premise versions, the bug stems from poor input validation, enabling remote exploitation without needing login credentials.
Companies using this analytics platform for IT operations now face urgent risks of data breaches and unauthorized access.
The issue affected builds before 6170 and was fixed in build 6171, released on August 1, 2025.
Analytics Plus is a popular business intelligence tool from ManageEngine that helps organizations visualize data from IT systems, networks, and applications.
It supports AI-driven insights, predictive analytics, and database integrations, including SQL Server and Oracle.
Users rely on it for tasks such as monitoring server performance, tracking security events, and generating reports on endpoint management.
With features like Agentic AI for automated workflows and Zia for natural language queries, it processes sensitive data, including user credentials and business metrics.
This makes the SQL injection flaw particularly dangerous, as attackers could target databases holding confidential information.
Vulnerability Details
The core problem lies in the improper configuration of filters within the application’s endpoints.
Attackers can send crafted HTTP requests to vulnerable URLs, appending SQL payloads like ‘ OR 1=1 — to bypass authentication checks.
This classic SQL injection technique tricks the backend database into executing unauthorized commands, such as SELECT * FROM users, to dump sensitive data.
Since it’s unauthenticated, no valid session is required, lowering the barrier for exploits.
The Common Vulnerability Scoring System rates it at 9.8 out of 10, classifying it as critical due to high impact on confidentiality, integrity, and availability.
Technically, the flaw occurs because user-supplied query parameters are not properly sanitized or parameterized.
For instance, in a typical BI tool like Analytics Plus, inputs might be fed directly into SQL statements without prepared statements, allowing malicious code to be concatenated.
Successful attacks could lead to data exfiltration, where attackers retrieve hashed passwords or API keys; data manipulation, altering reports or metrics; or even denial-of-service by overwhelming the database with heavy queries.
In worst cases, if the database user has elevated privileges, attackers might escalate to complete server control.
Real-world parallels include past SQL injection breaches that exposed millions of records, resulting in financial losses and regulatory fines.
The vulnerability was responsibly reported by security researcher devme4f from VNPT-VCI via Zoho’s Bug Bounty program.
No evidence of active exploitation has surfaced yet, but given the tool’s use in enterprises for IT security analytics, scanning for exposed instances is advised.
Tools like SQLMap can detect such flaws by automating payload tests.
Mitigation Steps
Zoho has fixed the issue by adding strict URL restrictions and removing insecure code paths in build 6171. Users should immediately upgrade via the service pack page, backing up data first to avoid disruptions.
The process involves downloading the patch and following the on-screen instructions for on-premise setups.
For those unable to update right away, implementing web application firewalls (WAFs) with SQL injection (SQLi) rules can block suspicious requests. However, this is not a complete substitute.
Best practices include using least-privilege database accounts, enabling query logging to spot anomalies, and conducting regular vulnerability scans with tools like Nessus.
Organizations handling sensitive data in Analytics Plus should review access logs for any unusual activity since July 2025, when the flaw is believed to have existed. Zoho urges affected users to contact support at for guidance.
This incident underscores the need for robust input validation in BI tools, particularly as AI features expand the attack surface. Staying patched remains key to safeguarding IT analytics environments.
