CVE-2026-11374

CRITICAL

zohocorp manageengine_adselfservice_plus - Account Takeover via Predictable SSO Ticket Generation

Title source: rule
STIX 2.1

Description

In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.

Scores

CVSS v3 9.0
EPSS 0.0124
EPSS Percentile 65.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-287 CWE-330 CWE-340
Status published
Products (4)
zohocorp/manageengine_adaudit_plus < 8703
zohocorp/manageengine_adselfservice_plus < 6529
zohocorp/manageengine_m365_manager_plus < 4817
zohocorp/manageengine_recovery_manager_plus < 6321
Published Jun 23, 2026
Tracked Since Jun 23, 2026