ManageEngine Account Takeover Flaw CVE-2026-11374

Do Son June 25, 2026 2 minutes read

At a glance

CVE: CVE-2026-11374
CVSS: 9.0 (Critical · CVSSv3)
Product: zohocorp manageengine_adselfservice_plus
Affected: < 6529, < 6321, < 4817, < 8703
Impact: Account Takeover via Predictable SSO Ticket Generation
Status: No confirmed exploitation yet
Patched in: 6529, 6321, 4817, 8703
EPSS: 1.2% (30-day)
Action: Update to 6529, 6321, 4817, 8703 now

TL;DR

Zoho Corporation disclosed a critical ManageEngine account takeover flaw tracked as CVE-2026-11374. This CVSS 9.0 vulnerability affects multiple ManageEngine products integrated within AD360. Consequently, unauthenticated attackers can predict SSO tickets and compromise user accounts.

Why it matters

This vulnerability carries a severe 9.0 CVSS score. Moreover, attackers can gain complete control over user accounts without any prior authentication. Furthermore, the targeted products handle sensitive administrative and auditing functions. A successful attack exposes identity data and role information. This level of access grants intruders deep reach into an organization’s internal network. Currently, no public proof-of-concept exists. The vendor also has not confirmed active exploitation in the wild.

How the attack works

The issue stems from weak single sign-on ticket generation. When users sign in via SSO, the system generates tickets to authenticate the session. However, the system uses predictable patterns to create these tokens. An unauthenticated attacker can mathematically predict a valid SSO ticket. According to the advisory, this flaw allows attackers to “obtain the targeted user’s identity and role information.” Ultimately, predicting the ticket results in a total account takeover.

Affected versions

Specifically, the security flaw affects four ManageEngine tools when deployed as integrated components within ManageEngine AD360.

ADSelfService Plus: Builds 6528 and earlier.
Recovery Manager Plus: Builds 6320 and earlier.
M365 Manager Plus: Builds 4816 and earlier.
ADAudit Plus: Builds 8702 and earlier.

Patch or mitigation steps

Therefore, administrators must apply the latest service packs immediately. Zoho resolved the issue by strengthening how the system generates SSO tickets. This fix ensures the tickets “can no longer be predicted by an unauthenticated attacker.” You can download the required service packs directly from the ManageEngine official security advisory. First, patch ADSelfService Plus to build 6529. Next, update Recovery Manager Plus to 6321. Then, upgrade M365 Manager Plus to 4817. Finally, secure ADAudit Plus by installing build 8703.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.