Skip to main content

ManageEngine ADSelfService Plus CVE-2026-11374

| EUVDEUVD-2026-38423 CRITICAL
Generation of Predictable Numbers or Identifiers (CWE-340)
2026-06-23 Zohocorp GHSA-hp5g-5g9f-49wq
9.0
CVSS 3.1 · Vendor: Zohocorp
Share

Severity by source

Vendor (Zohocorp) PRIMARY
9.0 CRITICAL
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.0 CRITICAL

Network-reachable SSO endpoint, no auth or UI, but predicting a ticket is non-trivial (AC:H); scope changes as session compromise pivots into managed AD/M365 identities.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Zohocorp).

CVSS VectorVendor: Zohocorp

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 23, 2026 - 11:16 EUVD
Analysis Generated
Jun 23, 2026 - 09:29 vuln.today

DescriptionCVE.org

In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.

AnalysisAI

Account takeover in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus is possible because SSO session-authentication tickets are generated with insufficient randomness and can be predicted by an unauthenticated remote attacker. Successful prediction lets the attacker impersonate arbitrary users and gain full session-level confidentiality, integrity, and availability impact (CVSS 9.0). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed ManageEngine SSO endpoint
Delivery
Collect sample SSO tickets
Exploit
Predict next valid ticket value
Execution
Submit forged ticket to session endpoint
Persist
Hijack target user session
Impact
Perform privileged AD/M365 actions

Vulnerability AssessmentAI

Exploitation The attacker must have network reachability to the affected ManageEngine product's web interface and must target the SSO authentication ticket generation path specifically - installations that do not have SSO enabled or that are deployed without exposing the SSO endpoints to untrusted networks reduce the realistic attack surface. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS:3.1 vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H rates this 9.0 Critical: network-reachable, no authentication or user interaction required, and scope-changed full impact (because compromise of one user's SSO can pivot into the identity systems these products manage, including AD, M365, and password-reset workflows). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker reachable on the network sends repeated requests to the ManageEngine SSO endpoint, observes returned ticket values, and uses the observable structure or weak RNG seeding to predict the next valid ticket issued to a legitimate user (or for a chosen account). Submitting that predicted ticket to the session-binding endpoint lets the attacker authenticate as the target user and perform any action that user is authorized for - including AD password resets, account unlocks, or M365 administration depending on the product. …
Remediation Patch available per vendor advisory - upgrade each affected ManageEngine product to the fixed build listed in the Zoho advisory at https://www.manageengine.com/products/self-service-password/advisory/CVE-2026-11374.html (exact fix version not provided in the input data and should be confirmed against the advisory before scheduling). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all ManageEngine products in use (ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, ADAudit Plus) and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11374 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy