ManageEngine has revealed a critical vulnerability, termed CVE-2026-11374, which poses a significant risk of account takeover within its AD360 identity and access management suite. The nature of this vulnerability impacts various products integrated with the AD360 platform, specifically targeting ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus when these tools operate under single sign-on (SSO) integration.
At the heart of this security concern lies a flaw in the SSO ticket generation process. Researchers have identified that the tickets created for SSO authentication lack sufficient randomness and are governed by flawed generation logic. This predictability allows unauthenticated attackers the ability to impersonate legitimate users, consequently granting them unauthorized access to sensitive enterprise environments and data.
According to a security advisory issued by ManageEngine, the vulnerability manifests during the authentication process between AD360 and its associated components. When users authenticate through AD360, SSO tickets are generated to facilitate a seamless experience across connected products. However, the predictable nature of these tickets has raised alarms, as attackers exploiting this vulnerability could craft or guess valid SSO tokens. Such actions would enable them to bypass all authentication controls, eliminating the need for valid user credentials.
The implications of successfully exploiting CVE-2026-11374 are severe. Attackers can harvest a compromised user’s identity along with their associated role information, which may lead to complete account takeover, depending on the privileges attached to the compromised account. In environments utilizing AD360 for comprehensive management of Active Directory operations—which include password self-service, auditing, and Microsoft 365 administration—unauthorized access fueled by this vulnerability could culminate in privilege escalation, data leakage, or further unauthorized lateral movement within the organization’s network.
A detailed examination of the vulnerability reveals that certain versions of the affected products are at risk:
- ADSelfService Plus: Versions up to build 6528 are vulnerable, while build 6529, released on June 3, 2026, mitigates the risk.
- RecoveryManager Plus: Builds 6320 and earlier are affected, with the fix arriving in build 6321 on June 5, 2026.
- M365 Manager Plus: Vulnerable in the 4816 build and earlier, with a resolution in build 4817 dated June 10, 2026.
- ADAudit Plus: Builds 8702 and earlier are also at risk; users should upgrade to build 8703, released on June 12, 2026.
In response to this critical security breach, ManageEngine has taken swift action to bolster the SSO ticket generation process. The enhancements are designed to ensure that authentication tokens are unpredictable and immune to exploitation attempts by malicious actors.
Security teams are strongly advised to promptly apply the latest service packs made available to mitigate the vulnerabilities outlined. These updates can be found on ManageEngine’s official service pack distribution pages linked to each affected product.
Organizations that utilize AD360 in production settings need to prioritize these patches due to the pre-authentication nature of this vulnerability. The potential for complete account compromise underscores the urgency of the situation.
This vulnerability was responsibly disclosed by the security researcher known as 0xmanhnv, who reported the issue through the Zoho BugBounty program. ManageEngine has duly acknowledged this contribution and awarded credit to the researcher for identifying the security concern.
For additional assistance regarding patching or mitigation strategies, users are encouraged to reach out to the respective product support teams or directly contact ManageEngine’s dedicated security response team.
Given the extensive use of ManageEngine solutions within enterprise identity management infrastructures, the ramifications of CVE-2026-11374 are serious. This incident underscores the critical need for secure token generation mechanisms, highlighting the importance of upholding robust security practices in SSO implementations.
Organizations are also encouraged to routinely review authentication logs for any suspicious SSO activities. Implementing additional monitoring controls can play a key role in early detection of potential abuse, thereby safeguarding critical assets within corporate networks.