CVE-2026-11374

Summary

In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.

Affected Software

VendorProductVersion RangeStatus
zohocorpmanageengine_adselfservice_plus0 < 6529affected
zohocorpmanageengine_recovery_manager_plus0 < 6321affected
zohocorpmanageengine_m365_manager_plus0 < 4817affected
zohocorpmanageengine_adaudit_plus0 < 8703affected

Weaknesses

  • CWE-340: CWE-340: Generation of Predictable Numbers or Identifiers
  • CWE-330: CWE-330: Use of Insufficiently Random Values
  • CWE-287: CWE-287: Improper Authentication

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References