9

CVE-2026-11374

Medienbericht

Account Takeover via Predictable SSO Ticket Generation

In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted
 by an unauthenticated user, leading to account takeover.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerzohocorp
Produkt manageengine_adselfservice_plus
Default Statusunaffected
Version 0
Version < 6529
Status affected
Herstellerzohocorp
Produkt manageengine_recovery_manager_plus
Default Statusunaffected
Version 0
Version < 6321
Status affected
Herstellerzohocorp
Produkt manageengine_m365_manager_plus
Default Statusunaffected
Version 0
Version < 4817
Status affected
Herstellerzohocorp
Produkt manageengine_adaudit_plus
Default Statusunaffected
Version 0
Version < 8703
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.24% 0.652
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
0fc0942c-577d-436f-ae8e-945763c79b02 9 2.2 6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

CWE-340 Generation of Predictable Numbers or Identifiers

The product uses a scheme that generates numbers or identifiers that are more predictable than required.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
24.06.2026 13:35
https://www.manageengine.com/products/self-service-password/advisory/CVE-2026-11374.html