ManageEngine has disclosed a critical account takeover vulnerability, tracked as CVE-2026-11374, affecting various integrated products within its AD360 identity and access management suite.
The flaw affects ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus when used with AD360 and via single sign-on (SSO) integration.
This vulnerability stems from predictable SSO ticket generation, which allows an unauthenticated attacker to impersonate legitimate users and gain unauthorized access to enterprise environments.
ManageEngine AD360 Account Takeover Vulnerability
According to the advisory, the issue occurs during SSO authentication between AD360 and its integrated components. When users authenticate via AD360, SSO tickets are created to facilitate seamless access across connected products.
However, researchers discovered that these tickets could be predicted due to insufficient randomness or flawed generation logic. An attacker exploiting this vulnerability could craft or guess a valid SSO token, enabling them to bypass authentication controls without needing valid credentials.
Successful exploitation of CVE-2026-11374 allows attackers to retrieve the targeted user’s identity and associated role information, potentially leading to a full account takeover depending on the compromised account’s privileges.
In enterprise environments where AD360 is used for central management of Active Directory operations, password self-service, auditing, and Microsoft 365 administration, such unauthorized access could result in privilege escalation, data exposure, or further lateral movement within the network.
The vulnerability affects the following product versions:
– ADSelfService Plus build 6528 and earlier, fixed in build 6529, released on June 3, 2026
– RecoveryManager Plus build 6320 and earlier, fixed in build 6321 on June 5, 2026
– M365 Manager Plus build 4816 and earlier, fixed in build 4817 on June 10, 2026
– ADAudit Plus build 8702 and earlier, fixed in build 8703 on June 12, 2026
ManageEngine has resolved the issue by strengthening the SSO ticket generation mechanism, ensuring that authentication tokens are no longer predictable and cannot be exploited by unauthenticated users.
Security teams are strongly advised to apply the latest service packs immediately to mitigate the risk. Updates are available through ManageEngine’s official service pack distribution pages for each affected product.
Organizations using AD360 in production environments should prioritize patching due to the vulnerability’s pre-authentication nature and its potential to result in complete account compromise.
The vulnerability was responsibly disclosed by security researcher 0xmanhnv through the Zoho BugBounty program. ManageEngine has acknowledged the report and credited the researcher for identifying the issue.
Users needing assistance with patching or mitigation can contact the respective product support teams or reach out to ManageEngine’s security response team directly.
Given the widespread deployment of ManageEngine solutions in enterprise identity management infrastructures, CVE-2026-11374 poses a critical risk, underscoring the importance of secure token generation mechanisms in SSO implementations.
Organizations should also review authentication logs for any unusual SSO activity and consider implementing additional monitoring controls to detect potential abuse.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
