CVE-2026-11374
9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| zohocorp | manageengine_adselfservice_plus | 0 < 6529 | affected |
| zohocorp | manageengine_recovery_manager_plus | 0 < 6321 | affected |
| zohocorp | manageengine_m365_manager_plus | 0 < 4817 | affected |
| zohocorp | manageengine_adaudit_plus | 0 < 8703 | affected |
Weaknesses
- CWE-340: CWE-340: Generation of Predictable Numbers or Identifiers
- CWE-330: CWE-330: Use of Insufficiently Random Values
- CWE-287: CWE-287: Improper Authentication
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.