A high-severity vulnerability tracked as CVE-2026-11374 has been disclosed across multiple ManageEngine products, ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, when deployed as integrated components within the ManageEngine AD360 suite.
The flaw enables unauthenticated attackers to predict Single Sign-On (SSO) tickets and fully seize control of targeted user accounts without requiring valid credentials.
The vulnerability lies in the SSO authentication mechanism that is triggered when users sign in through AD360’s integrated environment.
ManageEngine AD360 SSO Vulnerability
During the authentication process, the system generates tickets to validate user sessions. Researchers discovered that weak ticket-generation logic makes these SSO tokens predictable to an unauthenticated external attacker.
A successful exploit allows the threat actor to obtain the victim’s identity and role information, effectively granting complete account control. Critically, this attack requires no prior authentication, only network-level access to the application.
This type of flaw is especially dangerous in enterprise environments where AD360 functions as a centralized identity and access management (IAM) hub. A single compromised SSO ticket can cascade into unauthorized access across multiple interconnected systems, significantly amplifying the blast radius.
| Product | Affected Version | Fixed Version | Patch Date |
|---|---|---|---|
| ADSelfService Plus | 6528 and earlier | 6529 | June 3, 2026 |
| RecoveryManager Plus | 6320 and earlier | 6321 | June 5, 2026 |
| M365 Manager Plus | 4816 and earlier | 4817 | June 10, 2026 |
| ADAudit Plus | 8702 and earlier | 8703 | June 12, 2026 |
ManageEngine products are widely deployed across enterprise and government networks globally. AD360 consolidates identity management, password self-service, auditing, and Microsoft 365 administration into a single platform, making the SSO layer a high-value target.
Any unauthenticated actor with network access to the application can silently impersonate privileged users, administrators, or auditors.
Account takeover vulnerabilities of this nature are routinely leveraged by threat actors for lateral movement, privilege escalation, and data exfitration, making timely remediation non-negotiable for security teams.
The wide deployment footprint of ManageEngine across regulated industries, including healthcare, finance, and government, further elevates the risk, as a successful compromise could satisfy multiple attacker objectives in a single operation.
ManageEngine resolved the issue by strengthening the SSO ticket-generation process, ensuring tokens are cryptographically unpredictable going forward. Organizations running any of the affected product versions should immediately apply the latest service packs from the official ManageEngine update portals.
Beyond patching, security teams should take the following steps:
- Audit SSO session logs for anomalous authentication patterns dating back to when affected versions were first deployed
- Prioritize log review for privileged and administrative accounts, as these represent the highest-value targets
- Deploy threat detection controls to flag unusual lateral movement or privilege escalation attempts post-authentication
- Verify AD360 components are not directly exposed to untrusted networks or the public internet
Given the limited forensic footprint this vulnerability may leave in standard log reviews, proactive threat hunting is strongly advised.
No Comment! Be the first one.