CVE-2026-11374
Awaiting Analysis
Awaiting Analysis - Queue
Predictable SSO Ticket in ManageEngine Products
Vulnerability report for CVE-2026-11374, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-23
Last updated on: 2026-06-24
Assigner: ManageEngine
Description
Description
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted
by an unauthenticated user, leading to account takeover.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| manageengine | adselfservice_plus | 6529 |
| manageengine | recoverymanager_plus | 6321 |
| manageengine | m365_manager_plus | 4817 |
| manageengine | adaudit_plus | 8703 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-340 | The product uses a scheme that generates numbers or identifiers that are more predictable than required. |
| CWE-330 | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |