CVE-2026-11374
PUBLISHED
Published: 23 Jun 2026, 08:19
Last modified:23 Jun 2026, 12:03
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9 CRITICAL
v3.1 (cve.org)
EPSS Score
1.24% LOW
1% probability
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
23 Jun 2026, 08:19
Published
Vulnerability first disclosed
23 Jun 2026, 12:03
Last Modified
Vulnerability information updated
Description
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.
CVSS Metrics
- v3.1•CRITICAL•Score: 9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 1.24%• Percentile: 65%
Techniques & Countermeasures
- CWE-340•Generation of Predictable Numbers or Identifiers
The product uses a scheme that generates numbers or identifiers that are more predictable than required.
- CWE-330•Use of Insufficiently Random Values
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
- CWE-287•Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Affected Systems
- zohocorp•manageengine_adaudit_plus
< 8703
- zohocorp•manageengine_adselfservice_plus
< 6529
- zohocorp•manageengine_m365_manager_plus
< 4817
- zohocorp•manageengine_recovery_manager_plus
< 6321