Home

Description

In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.

PUBLISHED Reserved 2026-06-05 | Published 2026-06-23 | Updated 2026-06-23 | Assigner Zohocorp




CRITICAL: 9.0CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-340: Generation of Predictable Numbers or Identifiers

CWE-330: Use of Insufficiently Random Values

CWE-287: Improper Authentication

Product status

Default status
unaffected

Any version before 6529
affected

Default status
unaffected

Any version before 6321
affected

Default status
unaffected

Any version before 4817
affected

Default status
unaffected

Any version before 8703
affected

References

www.manageengine.com/...assword/advisory/CVE-2026-11374.html

cve.org (CVE-2026-11374)

nvd.nist.gov (CVE-2026-11374)

Download JSON