Unrated

Predictable SSO Tickets in ManageEngine AD360-Integrated Products

IdentifiersCVE-2026-11374CWE-330

CVE-2026-11374 is a vulnerability in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus when integrated with AD360. The issue is caused by predictable SSO ticket generation used to authenticate sessions. According to the provided content, AD360 issues a token to validate the session during its SSO flow, and an unauthenticated attacker can predict these tickets and craft valid session tokens without legitimate credentials. This can allow the attacker to impersonate users and authenticate into the affected applications. Affected versions are ADSelfService Plus 6528 and earlier, RecoveryManager Plus 6320 and earlier, M365 Manager Plus 4816 and earlier, and ADAudit Plus 8702 and earlier.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in account takeover and unauthorized access to affected ManageEngine applications. Because the flaw affects SSO within AD360-integrated deployments, compromise may expose sensitive user identity data, role-based access information, audit data, and administrative information across integrated services. In environments where AD360 acts as a central identity hub, the blast radius may extend beyond a single application and facilitate reconnaissance, privilege escalation depending on the compromised account, and potential lateral movement. The provided content also characterizes the confidentiality, integrity, and availability impacts as high.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of the affected identity services, especially AD360-integrated SSO endpoints, and closely monitor authentication logs for unusual SSO activity or anomalous session creation. Review access permissions on critical accounts and strengthen access controls to limit the impact of account compromise. Because the issue is exploitable without authentication, minimizing network exposure of the affected services is advisable until patches are applied.

Remediation

Patch, then assume compromise.

Update affected products to vendor-fixed versions released between June 3 and June 12, 2026, and apply the latest available service packs from ManageEngine/Zoho. The content states that the vendor strengthened the SSO ticket generation mechanism in patched releases. Specifically, remediate affected versions and earlier: ADSelfService Plus 6528 and earlier, RecoveryManager Plus 6320 and earlier, M365 Manager Plus 4816 and earlier, and ADAudit Plus 8702 and earlier.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Zoho CorporationAdaudit Plusapplication

Zoho CorporationAdselfservice Plusapplication

Zoho CorporationM365 Manager Plusapplication

Zoho CorporationRecoverymanager Plusapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app

cyber security newsNews

Jun 25, 2026

ManageEngine AD360 Integration Flaw Exposes User Identity and Role Information to Attackers

A high-severity vulnerability in ManageEngine products integrated with AD360 that allows unauthenticated attackers to predict SSO tokens, enabling account takeover, unauthorized access, and possible privilege escalation.

cvefeed high severityNews

Jun 23, 2026

CVE-2026-11374 - Account Takeover via Predictable SSO Ticket Generation

A critical account takeover vulnerability caused by predictable SSO ticket generation in multiple Zoho ManageEngine products.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-11374

NVD

nvd.nist.gov/vuln/detail/CVE-2026-11374

MITRE CWE · CWE-330

cwe.mitre.org