What is CVE-2025-66516?  

CVE-2025-66516 affects tika-core.jar version 2.4.1, a library used for parsing various document formats. The vulnerability is an XML External Entity (XXE) injection flaw that occurs specifically during PDF document parsing. Attackers could potentially exploit this vulnerability to read sensitive files or cause denial of service when malicious PDFs are processed.

Does it impact ADManager Plus?  

There's no impact to ADManager Plus. Here's why:

• ADManager Plus does not parse PDFs: The application has no functionality that processes or parses PDF documents, eliminating the attack surface entirely.

• Additional layers of protection:   ADManager Plus includes web application firewall (WAF) rules that detect and block XXE injection attempts in any uploaded files.
  
  

Customer action required  

There's no action needed by ADManager Plus customers. This vulnerability does not pose risk to ADManager Plus deployments.

Conclusion  

• CVE-2025-66516 is not applicable to ADManager Plus.

• The product does not use the PDF parsing functionality required to trigger the issue.

• Existing WAF protections further mitigate any potential risk.

We will continue to monitor and proactively assess any reported vulnerabilities to ensure the security of ADManager Plus.