Description
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted
by an unauthenticated user, leading to account takeover.
Published: 2026-06-23
Score: 9 Critical
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In ManageEngine ADSelfService Plus, Recovery Manager Plus, M365 Manager Plus, and ADAudit Plus the single sign‑on ticket generation uses insufficient entropy, allowing an unauthenticated user to predict the tickets. With a predicted ticket the attacker can obtain an authenticated session, effectively assuming the account. The vulnerability is classified around authentication, insufficient randomness, and replay risks.

Affected Systems

The vulnerable products are ManageEngine ADAudit Plus, ManageEngine ADSelfService Plus, ManageEngine M365 Manager Plus, and ManageEngine Recovery Manager Plus. The advisory does not list specific version numbers, so any currently released version may be affected.

Risk and Exploitability

The CVSS score of 9 categorizes the flaw as critical, and the EPSS score of 1% indicates a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker can exploit the flaw remotely by issuing a request to the ticket generation endpoint as an unauthenticated user and using the predictable ticket to forge an authenticated session.

Generated by OpenCVE AI on June 24, 2026 at 11:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor‑supplied patch or upgrade to the newest general‑availability release of the affected ManageEngine products.
  • Deploy network controls (firewall rules, API gateway policies, or server‑side ACLs) to restrict unauthenticated access to the SSO ticket generation endpoint.
  • Enable multi‑factor authentication for all privileged and regular user accounts to reduce the impact of a successful ticket prediction.

Generated by OpenCVE AI on June 24, 2026 at 11:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Zohocorp
Zohocorp manageengine Adaudit Plus
Zohocorp manageengine Adselfservice Plus
Zohocorp manageengine M365 Manager Plus
Zohocorp manageengine Recovery Manager Plus
Vendors & Products Zohocorp
Zohocorp manageengine Adaudit Plus
Zohocorp manageengine Adselfservice Plus
Zohocorp manageengine M365 Manager Plus
Zohocorp manageengine Recovery Manager Plus
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.
Title Account Takeover via Predictable SSO Ticket Generation
Weaknesses CWE-287
CWE-330
CWE-340
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Zohocorp Manageengine Adaudit Plus Manageengine Adselfservice Plus Manageengine M365 Manager Plus Manageengine Recovery Manager Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: Zohocorp

Published:

Updated: 2026-06-24T15:48:27.756Z

Reserved: 2026-06-05T12:25:17.739Z

Link: CVE-2026-11374

cve-icon Vulnrichment

Updated: 2026-06-23T12:03:53.541Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:00:05Z

Weaknesses
  • CWE-287

    Improper Authentication

  • CWE-330

    Use of Insufficiently Random Values

  • CWE-340

    Generation of Predictable Numbers or Identifiers