Severity: High
CVE ID: CVE-2026-12571
Affected Software Version(s): DDI Central 6.2.0 / Build 6200
Fixed Version: Build 6201
Fixed on: June 18, 2026
Details:
The ManageEngine DDI Central 6.2.0 build 6200 had an authentication bypass vulnerability in the password-reset verification workflow. This issue could allow an unauthenticated user to reset an account password without a valid recovery code.
The vulnerability has been fixed by requiring a valid, non-empty verification code during password-reset verification. Explicit permission enforcement has also been added to the password-reset confirmation view.
Impact:
Successful exploitation of this vulnerability could result in unauthorized account password reset and account takeover.
Steps to upgrade:
Update your DDI Central Console and Node Agent instances to the latest build 6201 using the service pack.
Acknowledgements:
This issue was reported by d3lt4_2410.