CVE-2026-11374
CRITICALzohocorp manageengine_adselfservice_plus - Account Takeover via Predictable SSO Ticket Generation
Title source: ruleDescription
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.
References (1)
Core 1
Scores
CVSS v3
9.0
EPSS
0.0124
EPSS Percentile
65.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-287
CWE-330
CWE-340
Status
published
Products (4)
zohocorp/manageengine_adaudit_plus
< 8703
zohocorp/manageengine_adselfservice_plus
< 6529
zohocorp/manageengine_m365_manager_plus
< 4817
zohocorp/manageengine_recovery_manager_plus
< 6321
Published
Jun 23, 2026
Tracked Since
Jun 23, 2026