Support
 
PhoneGet Quote
 
Support
 
US Sales: +1 888 720 9500
US Support: +1 844 245 1108
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9890

 
 

CVE-2026-12591: Authenticated privilege escalation to Remote Code Execution vulnerability in M365 Manager Plus

Vulnerability details
Severity High
CVE ID CVE-2026-12591
Affected software versions Builds 4817 and earlier
Fixed version 4818
Fixed on June 24, 2026

Details

CVE-2026-12591 refers to an authenticated privilege escalation to Remote Code Execution vulnerability in ManageEngine M365 Manager Plus where an authenticated technician may exploit insufficient permission validation in the delegated administration interface to escalate privileges beyond their intended scope, which could result in remote code execution during administrative processing.

Impact

An authenticated technician could leverage privilege escalation to gain administrator access, which could lead to remote code execution on the server.

Fix

The issue has been resolved by implementing authorization checks for the affected APIs and sanitizing input values to prevent unauthorized privilege escalation and remote code execution.

Steps to update

Update your M365 Manager Plus instance to build 4818 or later using the service pack.

Acknowledgements

This issue was reported by ngockhanhattt through the Zoho BugBounty program.

If you have any questions or need assistance updating the product to the latest version, please contact product support or our security team.

A holistic Microsoft 365 administration solution