Direct Inward Dialing: +1 408 916 9890
| Vulnerability details | |
| Severity | High |
| CVE ID | CVE-2026-12591 |
| Affected software versions | Builds 4817 and earlier |
| Fixed version | 4818 |
| Fixed on | June 24, 2026 |
CVE-2026-12591 refers to an authenticated privilege escalation to Remote Code Execution vulnerability in ManageEngine M365 Manager Plus where an authenticated technician may exploit insufficient permission validation in the delegated administration interface to escalate privileges beyond their intended scope, which could result in remote code execution during administrative processing.
An authenticated technician could leverage privilege escalation to gain administrator access, which could lead to remote code execution on the server.
The issue has been resolved by implementing authorization checks for the affected APIs and sanitizing input values to prevent unauthorized privilege escalation and remote code execution.
Update your M365 Manager Plus instance to build 4818 or later using the service pack.
This issue was reported by ngockhanhattt through the Zoho BugBounty program.
If you have any questions or need assistance updating the product to the latest version, please contact product support or our security team.