CVE-2026-11374

Account Takeover via Predictable SSO Ticket Generation

CVSS 9 CRITICALEPSS 1.2%CWE-287 CWE-330 CWE-340

In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Productos afectados

zohocorp · manageengine_adaudit_plus zohocorp · manageengine_adselfservice_plus zohocorp · manageengine_m365_manager_plus zohocorp · manageengine_recovery_manager_plus

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://www.manageengine.com/products/self-service-password/advisory/CVE-2026-11374.html