Manageengine Recovery Manager Plus
Monthly
Account takeover in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus is possible because SSO session-authentication tickets are generated with insufficient randomness and can be predicted by an unauthenticated remote attacker. Successful prediction lets the attacker impersonate arbitrary users and gain full session-level confidentiality, integrity, and availability impact (CVSS 9.0). No public exploit identified at time of analysis, but the issue is acknowledged in the vendor advisory.
Account takeover in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus is possible because SSO session-authentication tickets are generated with insufficient randomness and can be predicted by an unauthenticated remote attacker. Successful prediction lets the attacker impersonate arbitrary users and gain full session-level confidentiality, integrity, and availability impact (CVSS 9.0). No public exploit identified at time of analysis, but the issue is acknowledged in the vendor advisory.