Impact
In ManageEngine ADSelfService Plus, Recovery Manager Plus, M365 Manager Plus, and ADAudit Plus the single sign‑on ticket generation uses insufficient entropy, allowing an unauthenticated user to predict the tickets. With a predicted ticket the attacker can obtain an authenticated session, effectively assuming the account. The vulnerability is classified around authentication, insufficient randomness, and replay risks.
Affected Systems
The vulnerable products are ManageEngine ADAudit Plus, ManageEngine ADSelfService Plus, ManageEngine M365 Manager Plus, and ManageEngine Recovery Manager Plus. The advisory does not list specific version numbers, so any currently released version may be affected.
Risk and Exploitability
The CVSS score of 9 categorizes the flaw as critical, and the EPSS score of 1% indicates a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker can exploit the flaw remotely by issuing a request to the ticket generation endpoint as an unauthenticated user and using the predictable ticket to forge an authenticated session.
OpenCVE Enrichment