Free Edition| Vulnerability details | |
| Severity | High |
| CVE ID | CVE-2026-11374 |
| Product details | |||
| Name | Affected version(s) | Fixed version(s) | Fixed on |
| ADSelfService Plus | 6528 and earlier | 6529 | 3 June, 2026 |
| RecoveryManager Plus | 6320 and earlier | 6321 | 5 June, 2026 |
| M365 Manager Plus | 4816 and earlier | 4817 | 10 June, 2026 |
| ADAudit Plus | 8702 and earlier | 8703 | 12 June, 2026 |
CVE-2026-11374 refers to a security vulnerability reported in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus when these products are deployed as integrated components within ManageEngine AD360. When a user signs in through single sign-on (SSO) to ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, or ADAudit Plus integrated with ManageEngine AD360, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated attacker, leading to account takeover.
An unauthenticated attacker who successfully predicts a valid SSO ticket could obtain the targeted user's identity and role information, ultimately leading to a takeover of that user's account.
This issue has been resolved by strengthening the way SSO tickets are generated during the single sign-on session, ensuring they can no longer be predicted by an unauthenticated attacker.
Download and apply the latest service pack from the following links:
This issue was reported by 0xmanhnv through the Zoho BugBounty program.
Please contact product support at the mail addresses mentioned below for further assistance. You can also contact our security team.
Need further assistance? Fill this form, and we'll contact you rightaway.
Allow Active Directory users to self-service their password resets and account unlock tasks, freeing them from lengthy help desk calls.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications using their Active Directory credentials.
Intimate Active Directory users of their impending password and account expiry via email and SMS notifications.
Synchronize Windows Active Directory user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, IBM iSeries, and more.
Strong passwords resist various hacking threats. Enforce Active Directory users to adhere to compliant passwords by displaying password complexity requirements.
Enable Active Directory users to update their latest information themselves. Quick search features help admins scout for information using search keys like contact numbers.
