EXECUTIVE SUMMARY:
CVE-2026-11374 with a CVSS score of 9.0 is a critical vulnerability in the ManageEngine AD360 product suite, specifically affecting ADSelfService Plus versions prior to 6529, Recovery Manager Plus versions prior to 6321, M365 Manager Plus versions prior to 4817, and ADAudit Plus versions prior to 8703. This vulnerability is caused by weak single sign-on ticket generation, which uses predictable patterns to create authentication tokens, allowing an unauthenticated attacker to exploit it by mathematically predicting a valid SSO ticket through a network-based attack vector with no prior access or authentication required. If successfully exploited, the attacker gains complete control over user accounts, obtaining the targeted user's identity and role information, and potentially exposing sensitive administrative and auditing functions, leading to a total account takeover and deep reach into an organization's internal network. The business impact of this vulnerability is severe, as a successful attack could result in the compromise of sensitive data and disruption of critical business operations, and the prerequisites for exploitation include the use of predictable SSO ticket generation patterns by the affected ManageEngine products.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-11374 with a CVSS score of 9.0 is a critical vulnerability in the ManageEngine AD360 product suite, specifically affecting ADSelfService Plus versions prior to 6529, Recovery Manager Plus versions prior to 6321, M365 Manager Plus versions prior to 4817, and ADAudit Plus versions prior to 8703. This vulnerability is caused by weak single sign-on ticket generation, which uses predictable patterns to create authentication tokens, allowing an unauthenticated attacker to exploit it by mathematically predicting a valid SSO ticket through a network-based attack vector with no prior access or authentication required. If successfully exploited, the attacker gains complete control over user accounts, obtaining the targeted user's identity and role information, and potentially exposing sensitive administrative and auditing functions, leading to a total account takeover and deep reach into an organization's internal network. The business impact of this vulnerability is severe, as a successful attack could result in the compromise of sensitive data and disruption of critical business operations, and the prerequisites for exploitation include the use of predictable SSO ticket generation patterns by the affected ManageEngine products.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update ADSelfService Plus to version 6529, Recovery Manager Plus to version 6321, M365 Manager Plus to version 4817, and ADAudit Plus to version 8703.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/manageengine-account-takeover-cve-2026-11374/