Executive Summary

A critical vulnerability, CVE-2026-11374, with a CVSS score of 9 has been identified in multiple ManageEngine products. This vulnerability allows unauthenticated users to predict SSO ticket IDs, potentially leading to account takeover. The affected products include ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus.

Technical Analysis

The vulnerability is caused by the predictable nature of SSO ticket IDs generated by the affected ManageEngine products. An unauthenticated user can exploit this by guessing or predicting a valid SSO ticket ID, which can then be used to authenticate and potentially takeover an account.

How It Gets Exploited

An unauthenticated remote attacker can send a crafted request to the vulnerable ManageEngine product, attempting to guess or predict a valid SSO ticket ID. If successful, the attacker can use this ID to authenticate and gain unauthorized access to the system, potentially leading to account takeover.

Impact Assessment

The affected products and their versions are as follows: - ManageEngine ADSelfService Plus (versions prior to 6529) - ManageEngine RecoveryManager Plus (versions prior to 6321) - ManageEngine M365 Manager Plus (versions prior to 4817) - ManageEngine ADAudit Plus (versions prior to 8703) An attacker can achieve account takeover, potentially leading to further exploitation of the system.

Recommended Actions

To mitigate this vulnerability, update the affected ManageEngine products to the following versions or later: - ManageEngine ADSelfService Plus: 6529 or later - ManageEngine RecoveryManager Plus: 6321 or later - ManageEngine M365 Manager Plus: 4817 or later - ManageEngine ADAudit Plus: 8703 or later Additionally, implement network segmentation and restrict access to the affected systems to limit the attack surface.

Sources

- National Vulnerability Database (NVD) - ManageEngine Advisory