ManageEngine ADSelfService Plus SSO Ticket Prediction Enables Account Takeover
CVE-2026-11374 Published on June 23, 2026
Account Takeover via Predictable SSO Ticket Generation
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted
by an unauthenticated user, leading to account takeover.
Vulnerability Analysis
CVE-2026-11374 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Types
Generation of Predictable Numbers or Identifiers
The product uses a scheme that generates numbers or identifiers that are more predictable than required.
Use of Insufficiently Random Values
The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.
What is an authentification Vulnerability?
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CVE-2026-11374 has been classified to as an authentification vulnerability or weakness.
Products Associated with CVE-2026-11374
Want to know whenever a new CVE is published for Zoho Corp products? stack.watch will email you.
Affected Versions
zohocorp manageengine_adselfservice_plus:- Before 6529 is affected.
- Before 6321 is affected.
- Before 4817 is affected.
- Before 8703 is affected.