ManageEngine has recently identified a critical security vulnerability, labeled CVE-2026-11374, within its identity and access management solutions integrated with AD360. This flaw, if exploited, could allow unauthorized attackers to predict single sign-on (SSO) tokens, potentially leading to account takeovers and exposure of sensitive user data.
Impact on Identity Management Solutions
The vulnerability affects several key ManageEngine products, including ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, when used within the AD360 environment. These tools are vital for enterprise identity governance, Active Directory management, auditing, and Microsoft 365 administration. Therefore, this flaw poses a significant risk, especially in large-scale deployments.
Security researcher 0xmanhnv discovered this vulnerability and reported it through the Zoho BugBounty program. ManageEngine has acknowledged the researcher’s role in responsibly disclosing the issue.
Technical Details of the Vulnerability
The vulnerability arises from weaknesses in SSO ticket generation during authentication. When users log in through AD360’s SSO, tokens are issued to validate sessions. Unfortunately, researchers found that these tokens could be predicted by unauthenticated attackers, allowing them to craft valid session tokens without needing legitimate credentials.
This predictability enables attackers to impersonate users, gaining unauthorized access to systems. Such access could expose user identities and role-based access information, potentially leading to privilege escalation.
In environments where AD360 serves as a central identity hub, the risk escalates as multiple integrated services can be compromised through a single successful attack. Attackers could access ADAudit Plus audit logs and administrative data, facilitating internal reconnaissance and potential lateral movement within an organization.
Mitigation and Security Recommendations
ManageEngine has released patches to rectify this vulnerability in versions issued between June 3 and June 12, 2026. Affected products include ADSelfService Plus version 6528 and earlier, RecoveryManager Plus version 6320 and earlier, M365 Manager Plus version 4816 and earlier, and ADAudit Plus version 8702 and earlier. The updates enhance SSO ticket generation mechanisms to prevent predictability.
Organizations using these products are strongly advised to apply the latest service packs immediately to secure their systems. Additionally, security teams should actively monitor authentication logs for unusual SSO activities and reassess access permissions on critical accounts.
Improving access controls and minimizing the exposure of identity services can further mitigate exploitation risks. Stay informed by following us on Google News, LinkedIn, and X for more instant updates.
