Description
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted
by an unauthenticated user, leading to account takeover.
Published: 2026-06-23
Score: 9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to predict the single sign‑on tickets used by ManageEngine ADAudit Plus, ADSelfService Plus, M365 Manager Plus, and Recovery Manager Plus. Predicting these tickets leads to unauthorized session hijacking and full account takeover. The weakness is rooted in poor entropy generation and authentication bypass, classified as CWE‑287, CWE‑330, and CWE‑340.

Affected Systems

The affected products are ManageEngine ADAudit Plus, ManageEngine ADSelfService Plus, ManageEngine M365 Manager Plus, and ManageEngine Recovery Manager Plus. Specific version information is not provided, so all available releases at the time of disclosure may be vulnerable.

Risk and Exploitability

The CVSS score is 9, indicating critical severity. EPSS data is not available, so the exact exploitation probability is unknown, but the lack of authentication to generate tickets makes the attack vector remote over the network. The vulnerability is not listed in the CISA KEV catalog, yet the criticality and ease of exploitation warrant prompt action.

Generated by OpenCVE AI on June 23, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security patch or upgrade to the most recent GA releases of ManageEngine ADAudit Plus, ADSelfService Plus, M365 Manager Plus, and Recovery Manager Plus.
  • Restrict unauthenticated access to the SSO ticket generation endpoints through firewall or API gateway rules.
  • Enforce multi‑factor authentication for privileged accounts to mitigate the impact of ticket prediction.

Generated by OpenCVE AI on June 23, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.
Title Account Takeover via Predictable SSO Ticket Generation
Weaknesses CWE-287
CWE-330
CWE-340
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Zohocorp

Published:

Updated: 2026-06-23T08:19:30.638Z

Reserved: 2026-06-05T12:25:17.739Z

Link: CVE-2026-11374

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T10:30:06Z

Weaknesses
  • CWE-287

    Improper Authentication

  • CWE-330

    Use of Insufficiently Random Values

  • CWE-340

    Generation of Predictable Numbers or Identifiers