CVE-2025-1724 : AD Authentication User Account takeover vulnerability in Zoho Analytics On-Premise
Severity: High
CVE ID: CVE-2025-1724
| Product name | Affected Software Version(s) | Fixed Version | Fixed On |
|---|---|---|---|
| Zoho Analytics On-Premise | Zoho Analytics On-Premise Windows builds below 6130 | Build 6130 | March 11, 2025 |
Details
A vulnerability has been discovered in Zoho Analytics On-Premise, which allows unauthorized access to authenticated AD user accounts. This could potentially lead to the unauthorized exposure of user information.
Impact
This vulnerability could lead to the unauthorized exposure of unauthorized user information, potentially resulting in account takeovers.
Applicability
This problem specifically applies to Windows installations in instances where users access Zoho Analytics On-Premise through Windows-based active directory authentication, without Active Directory SSO configuration.
Fix
This issue has been resolved by generating installation-specific keys and securely storing them with sufficient encryption.
Steps to upgrade
- Kindly download the latest upgrade pack from here.
- Follow the instructions detailed in the above service pack page to upgrade to the latest build.
Acknowledgements
This vulnerability was reported by Muhammed Mekkawy through our Bug Bounty portal.
For any questions or concerns, please write to us at onprem-support@zohoanalytics.com