CVE-2026-11374

critical

Description

In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.

References

https://www.manageengine.com/products/self-service-password/advisory/CVE-2026-11374.html

Details

Source: Mitre, NVD

Published: 2026-06-23

Updated: 2026-06-24

CVSS v3

Base Score: 9

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.01237

Detections

Analytics