CVE-2026-11374
Received Received - Intake
Predictable SSO Ticket in ManageEngine Products

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: ManageEngine

Description
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-11374
EUVD
EUVD-2026-38423
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
manageengine adselfservice_plus 6529
manageengine recoverymanager_plus 6321
manageengine m365_manager_plus 4817
manageengine adaudit_plus 8703
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
CWE-340 The product uses a scheme that generates numbers or identifiers that are more predictable than required.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11374 is a high-severity vulnerability in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus when integrated with ManageEngine AD360.

The vulnerability occurs because the single sign-on (SSO) tickets generated to authenticate user sessions can be predicted by an unauthenticated attacker.

This predictability allows attackers to impersonate legitimate users and gain unauthorized access to their accounts.

Impact Analysis

This vulnerability can lead to account takeover by allowing attackers to impersonate legitimate users without authentication.

Attackers can gain unauthorized access to sensitive information and potentially escalate their privileges within the affected systems.

This can result in data breaches, loss of control over user accounts, and compromise of organizational security.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-11374, users should immediately apply the latest service packs released for the affected ManageEngine products.

  • Update ADSelfService Plus to version 6529 or later.
  • Update RecoveryManager Plus to version 6321 or later.
  • Update M365 Manager Plus to version 4817 or later.
  • Update ADAudit Plus to version 8703 or later.

These updates fix the issue where SSO tickets could be predicted by unauthenticated users, preventing potential account takeover and privilege escalation.

Compliance Impact

The vulnerability allows unauthenticated attackers to predict SSO tickets and take over user accounts, potentially leading to unauthorized access and privilege escalation.

Such unauthorized access could result in exposure or misuse of sensitive personal or health information, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and protection of user data.

Therefore, if exploited, this vulnerability could lead to violations of these regulations due to compromised account security and potential data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11374. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart