Executive Summary
A critical authentication vulnerability has been patched in four ManageEngine enterprise products. Tracked as CVE-2026-11374, the flaw stems from insufficiently random SSO (Single Sign-On) ticket generation: session tickets issued to authenticate users can be predicted by an unauthenticated attacker, enabling full account takeover without any credentials.
The affected products — ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus — are widely deployed in Windows Active Directory environments for self-service password reset, identity recovery, Microsoft 365 management, and AD auditing. Successful exploitation grants an attacker the ability to authenticate as any user, including privileged administrators.
CVE-2026-11374 carries a CVSS 3.1 score of 9.0 (CRITICAL). Patches are available — update immediately.
Vulnerability Details
| Field | Value |
|---|---|
| CVE ID | CVE-2026-11374 |
| CVSS 3.1 Score | 9.0 (CRITICAL) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed |
| Impact | Confidentiality High, Integrity High, Availability High |
| CWE | CWE-287 (Improper Authentication), CWE-330 (Insufficient Randomness), CWE-340 (Predictable Identifiers) |
| Platform | Windows |
Root Cause
When a user initiates a Single Sign-On session across the affected ManageEngine products, the application generates a session ticket used to validate and authenticate that session. The ticket generation algorithm uses insufficiently random values, resulting in a ticket space that an unauthenticated attacker can enumerate or predict.
Because these products integrate tightly with Active Directory and Windows authentication infrastructure, a predicted ticket grants the attacker access as the impersonated user — including any administrator or privileged service account that has recently authenticated.
Attack Scenario
1. Attacker identifies a target user (e.g., an AD admin) scheduled to authenticate
2. Attacker observes or infers timing of SSO session initiation (e.g., business hours)
3. Attacker predicts the SSO ticket value for the target session
4. Attacker presents the forged ticket to the application
5. Application validates the ticket as legitimate — attacker is authenticated as target user
6. Attacker gains full access to the ManageEngine portal with the victim's privileges
Affected Products and Patched Versions
| Product | Vulnerable Versions | Patched Version |
|---|---|---|
| ADSelfService Plus | All versions before 6529 | 6529 |
| RecoveryManager Plus | All versions before 6321 | 6321 |
| M365 Manager Plus | All versions before 4817 | 4817 |
| ADAudit Plus | All versions before 8703 | 8703 |
Impact
- Account Takeover: Attacker can authenticate as any user whose SSO session ticket can be predicted, including system administrators.
- Privilege Escalation: Access to privileged ManageEngine roles (admin console, user management, audit data) without any credentials.
- Active Directory Compromise: ADSelfService Plus and ADAudit Plus have deep AD integration — a compromised session may enable password resets, account unlocks, and audit log tampering.
- Microsoft 365 Access: M365 Manager Plus manages Exchange Online, SharePoint, and Teams — compromise enables mail access, data exfiltration, and tenant-wide disruption.
- No Authentication Required: The attack vector is fully unauthenticated and network-accessible, making it trivially exploitable from any internet-reachable instance.
Remediation
Patch Immediately
ManageEngine has released patches for all four products. Apply the following builds as soon as possible:
| Product | Update To |
|---|---|
| ADSelfService Plus | Build 6529 or later |
| RecoveryManager Plus | Build 6321 or later |
| M365 Manager Plus | Build 4817 or later |
| ADAudit Plus | Build 8703 or later |
Updates are available from the ManageEngine customer portal and product update servers.
Identify Potentially Exposed Instances
-
Check internet exposure: Determine whether any affected ManageEngine product is accessible from the internet. Restrict network access to internal networks and VPN wherever possible.
-
Review authentication logs: In each product's audit/access logs, look for unexpected authentication events — particularly SSO logins occurring without corresponding user-initiated sessions or from unusual source IPs.
-
Check AD for anomalous changes: Review Active Directory Security event logs (Event ID 4720, 4722, 4724, 4728) for unexpected user creation, password resets, or group membership changes that may indicate post-exploitation activity.
-
Verify admin accounts: Cross-check ManageEngine admin account rosters with expected personnel. Look for any accounts created or modified during the vulnerability window.
Hardening Recommendations
- Network segmentation: Place ManageEngine products behind VPN or firewall rules restricting access to authorized IP ranges.
- MFA enforcement: Enable multi-factor authentication for all ManageEngine admin and privileged accounts as a defense-in-depth measure.
- Session timeout reduction: Minimize SSO session lifetimes to reduce the prediction window for active tickets.
- Monitoring: Set up alerts for bulk authentication attempts, off-hours admin access, or rapid sequential SSO session requests against these products.
ManageEngine Security History
ManageEngine products have been the subject of multiple critical vulnerabilities in recent years, including RCE flaws exploited by nation-state actors (e.g., CVE-2022-47966 exploited by APT groups, CVE-2021-40539 exploited by APT41). Organizations running ManageEngine products should treat them as high-value targets requiring priority patching, network segmentation, and enhanced monitoring.
Timeline
| Date | Event |
|---|---|
| 2026 (Q1-Q2) | Vulnerability discovered and reported to ManageEngine |
| 2026-06-23 | CVE-2026-11374 published; ManageEngine advisory and patches released |
| Active | Patches available for all four affected products |