Skip to main content

Manageengine Recovery Manager Plus

1 CVEs product

Monthly

CVE-2026-11374 CRITICAL PATCH Act Now

Account takeover in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus is possible because SSO session-authentication tickets are generated with insufficient randomness and can be predicted by an unauthenticated remote attacker. Successful prediction lets the attacker impersonate arbitrary users and gain full session-level confidentiality, integrity, and availability impact (CVSS 9.0). No public exploit identified at time of analysis, but the issue is acknowledged in the vendor advisory.

Information Disclosure Zoho Manageengine Adaudit Plus Manageengine Adselfservice Plus Manageengine Recovery Manager Plus +1
NVD VulDB
CVSS 3.1
9.0
EPSS
1.2%
EPSS 1% CVSS 9.0
CRITICAL PATCH Act Now

Account takeover in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus is possible because SSO session-authentication tickets are generated with insufficient randomness and can be predicted by an unauthenticated remote attacker. Successful prediction lets the attacker impersonate arbitrary users and gain full session-level confidentiality, integrity, and availability impact (CVSS 9.0). No public exploit identified at time of analysis, but the issue is acknowledged in the vendor advisory.

Information Disclosure Zoho Manageengine Adaudit Plus +3
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy