CVE-2026-11374 | In ManageEngine ADSelfService Plus, RecoveryManager Plus, M3… | CVSS 9.0 CRITICAL

Description

In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.

Metadata

CVE ID: CVE-2026-11374
State: PUBLISHED
Assigner: Zohocorp
Reserved: 2026-06-05 12:25 UTC
Published: 2026-06-23 08:19 UTC
Last updated: 2026-06-23 08:19 UTC
Primary CWE: CWE-340
CWE-340: Generation of Predictable Numbers or Identifiers
Vendor / Product: zohocorp / manageengine_adselfservice_plus
Sources: cve.org · NVD

Severity & Metrics

9.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products (4)

Vendor	Product	Platform	Versions
zohocorp	manageengine_adaudit_plus	Windows	0 < 8703
zohocorp	manageengine_adselfservice_plus	Windows	0 < 6529
zohocorp	manageengine_m365_manager_plus	Windows	0 < 4817
zohocorp	manageengine_recovery_manager_plus	Windows	0 < 6321

Weakness (CWE)

CWE	Source	Description
CWE-287	cna	CWE-287: Improper Authentication
CWE-330	cna	CWE-330: Use of Insufficiently Random Values
CWE-340	cna	CWE-340: Generation of Predictable Numbers or Identifiers

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References (1)

https://www.manageengine.com/products/self-service-password/advisory/CVE-2026-11374.html