CVE 9 CRITICAL

Account Takeover via Predictable SSO Ticket Generation_CVE-2026-11374

June 23, 2026 invoker category_cve
9 / 10
CRITICAL
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted
by an unauthenticated user, leading to account takeover.

AI Analysis

Predictable SSO ticket generation vulnerability allowing account takeover

Basic Information

ID CVE-2026-11374
Source Zohocorp
Published Jun 23, 2026 at 08:19

Affected Product

Vendor zohocorp
Product manageengine_adselfservice_plus
Affected Versions zohocorp manageengine_adselfservice_plus 0
zohocorp manageengine_recovery_manager_plus 0
zohocorp manageengine_m365_manager_plus 0
zohocorp manageengine_adaudit_plus 0

CWE Classification

CWE-340 CWE-330 CWE-287

AI Assessment

AI Score 9 / 10
AI Severity Critical
Vendor Zoho Corp
Product ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, ADAudit Plus

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.