CVE-2026-11374 PUBLISHED

Account Takeover via Predictable SSO Ticket Generation

Assigner: Zohocorp
Reserved: 05.06.2026 Published: 23.06.2026 Updated: 23.06.2026

In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	zohocorp
Product	manageengine_adselfservice_plus
Versions	Default: unaffected affected from 0 to 6529 (excl.)

Vendor	zohocorp
Product	manageengine_recovery_manager_plus
Versions	Default: unaffected affected from 0 to 6321 (excl.)

Vendor	zohocorp
Product	manageengine_m365_manager_plus
Versions	Default: unaffected affected from 0 to 4817 (excl.)

Vendor	zohocorp
Product	manageengine_adaudit_plus
Versions	Default: unaffected affected from 0 to 8703 (excl.)

References

https://www.manageengine.com/products/self-service-password/advisory/CVE-2026-11374.html

Problem Types

CWE-340: Generation of Predictable Numbers or Identifiers CWE
CWE-330: Use of Insufficiently Random Values CWE
CWE-287: Improper Authentication CWE

Impacts

CAPEC-59 Session Credential Falsification through Prediction