← Back to all sparks
M

ManageEngine Exchange Reporter Plus

ANALYTICS
Velocity0.0

Reporting, auditing, and monitoring for Exchange Server and Microsoft 365

Exchange Reporter Plus is in security-and-compatibility mode, chasing Microsoft's cmdlet deprecations and closing XSS reports.

exchange-reportingsecurity-fixesmicrosoft-365entra-authcmdlet-migrationcompliance
Current state
Exchange Reporter Plus is running a maintenance-first release cycle dominated by two forces: a steady stream of bug-bounty-reported security fixes (stored XSS, path traversal, ReDoS) and the need to keep pace with Microsoft's Exchange Online changes. Feature work is sparse and mostly plumbing — cmdlet migrations, JRE updates, and a shift away from dedicated service accounts toward Entra app registration.
Where it's heading
The product's near-term direction is defined less by new capability than by keeping reporting intact as Microsoft deprecates the cmdlets it depends on (Get-Message, Search-AdminAuditLog) and tightens tenant access. The one clearly forward-looking thread is authentication modernization — moving Exchange Online configuration to Entra app registration and removing the MFA-disable requirement — which improves security posture without expanding the reporting surface.
Prediction
Expect the security-fix cadence to continue and further Microsoft-driven cmdlet and auth migrations as Exchange Online evolves, with feature additions remaining incremental.

Recent moves

  1. 3mo ago

    Build 5802: Duo SDK certificate update and XSS fix

    Build 5802 updates the Duo Universal Java SDK for expiring certificates and fixes a stored XSS (CVE-2026-27655) — dependency maintenance plus a security patch, consistent with the security-first cadence.

  2. 5mo ago

    Build 5801: searchable scheduled-task history and fixes

    Build 5801 makes Scheduled Tasks History searchable with source-server and collection-period visibility, plus content-search and mail-config fixes — a genuine usability gain amid the maintenance stream.

  3. 6mo ago

    Build 5800: Exchange Online moves to Entra app registration

    Build 5800 drops the dedicated service-account requirement for the Exchange Online module in favor of an Entra app registration, removing the need to disable MFA — a meaningful auth-modernization and security-posture improvement.

  4. 8mo ago

    Build 5726: migrate to Get-MessageTraceV2 cmdlet

    Build 5726 migrates reports and audits to Microsoft's Get-MessageTraceV2 cmdlet ahead of the deprecation of Get-Message and updates the bundled JRE — compatibility work needed to keep reporting uninterrupted.

  5. 11mo ago

    Build 5724: stored XSS fixes in Audit and Reports

    Build 5724 patches four stored XSS vulnerabilities in the Audit and Reports modules plus assorted issue fixes — bug-bounty-driven security maintenance.

  6. 1y ago

    Build 5723: XSS, path traversal, and Redis auth fixes

    Build 5723 fixes stored XSS, a Schedule Reports path traversal, and an unauthenticated Redis exposure — a security-hardening release with no new features.