Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Network-reachable SSO endpoint, no auth or UI, but predicting a ticket is non-trivial (AC:H); scope changes as session compromise pivots into managed AD/M365 identities.
Primary rating from Vendor (Zohocorp).
CVSS VectorVendor: Zohocorp
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.
AnalysisAI
Account takeover in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus is possible because SSO session-authentication tickets are generated with insufficient randomness and can be predicted by an unauthenticated remote attacker. Successful prediction lets the attacker impersonate arbitrary users and gain full session-level confidentiality, integrity, and availability impact (CVSS 9.0). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have network reachability to the affected ManageEngine product's web interface and must target the SSO authentication ticket generation path specifically - installations that do not have SSO enabled or that are deployed without exposing the SSO endpoints to untrusted networks reduce the realistic attack surface. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS:3.1 vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H rates this 9.0 Critical: network-reachable, no authentication or user interaction required, and scope-changed full impact (because compromise of one user's SSO can pivot into the identity systems these products manage, including AD, M365, and password-reset workflows). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker reachable on the network sends repeated requests to the ManageEngine SSO endpoint, observes returned ticket values, and uses the observable structure or weak RNG seeding to predict the next valid ticket issued to a legitimate user (or for a chosen account). Submitting that predicted ticket to the session-binding endpoint lets the attacker authenticate as the target user and perform any action that user is authorized for - including AD password resets, account unlocks, or M365 administration depending on the product. … |
| Remediation | Patch available per vendor advisory - upgrade each affected ManageEngine product to the fixed build listed in the Zoho advisory at https://www.manageengine.com/products/self-service-password/advisory/CVE-2026-11374.html (exact fix version not provided in the input data and should be confirmed against the advisory before scheduling). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all ManageEngine products in use (ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, ADAudit Plus) and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Critical remote code execution vulnerability in Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior, ex
Zohocorp ManageEngine ADAudit Plus versions 8510 and prior contain an authenticated SQL injection vulnerability in the a
CVE-2025-36528 is an authenticated SQL injection vulnerability in Zohocorp ManageEngine ADAudit Plus versions 8510 and e
A SQL injection vulnerability (CVSS 8.3). High severity vulnerability requiring prompt remediation.
Authenticated remote code execution affects Zoho ManageEngine ADSelfService Plus (before build 6525), DataSecurity Plus
Cross-site request forgery in the Zoho Mail WordPress plugin (all versions before 1.6.2) enables a remote attacker to pe
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38423
GHSA-hp5g-5g9f-49wq