ManageEngine AD360 Account Takeover (CVE-2026-11374): Update Now
Unauthenticated account takeover hits ManageEngine products integrated with AD360 (CVE-2026-11374, CVSS 9.0), via predictable SSO tickets. Update now.
Makoto Horikawa
Backend Engineer / AWS / Django
Unauthenticated account takeover hits ManageEngine products integrated with AD360 (CVE-2026-11374, CVSS 9.0), via predictable SSO tickets. Update now.
A flaw has been found in a set of ManageEngine products β software many companies use to manage employee passwords and run Active Directory (the system that centrally manages user accounts inside an organization) β that lets an unauthenticated outsider take over a user's account. The vulnerability identifier is CVE-2026-11374, with a severity of 9.0 (Critical) out of 10 on the CVSS scale.
The root cause lies in the mechanism for "SSO (single sign-on)," which lets a user reach multiple services with one login. The token used to identify a logged-in user could be predicted from the outside. If an attacker guesses it correctly, they can impersonate that user without knowing the password. The maker, Zoho (the company behind the ManageEngine brand), has already released fixes.
The impact is limited to deployments integrated with the unified management suite "ManageEngine AD360." Organizations using the four affected products in that setup should move to the fixed builds described below sooner rather than later.
| Affected products | ADSelfService Plus / RecoveryManager Plus M365 Manager Plus / ADAudit Plus (when integrated with AD360) |
| Vulnerability ID | CVE-2026-11374 |
| Severity | CVSS 9.0 (Critical) |
| Type of flaw | Improper authentication / predictable SSO ticket (CWE-287 / CWE-330 / CWE-340) |
| What could happen | Account takeover without authentication |
| Attack conditions | Remote, no auth, no user action (but high attack complexity) |
| Response | Update to the fixed build (no workaround) |
Who does this flaw affect, and how?
The targets are organizations that place management tools integrated with ManageEngine AD360 somewhere reachable from the internet. These products are the entry point through which employees reset their own passwords and administrators handle accounts and audit logs. To an attacker, that is where the "ring of keys" to the organization is gathered β and if it can be opened from the front, there is hardly a more convenient target.
What the attacker does is predict the token (SSO ticket) that identifies a logged-in user, and hijack that login session by impersonating the person. No password entry and no phishing email are needed. Once the impersonation succeeds, they inherit that user's permissions and roles as-is. If the hijacked account belongs to an administrator, the impact spreads all at once.
Realistic damage includes using a hijacked employee account as a foothold to break into internal systems, abusing the password-reset feature to seize other accounts, and viewing or tampering with audit logs to erase traces of the intrusion. When the foundation of identity management is breached, the user management of the entire company that rides on top of it is shaken. As noted below, this attack is not trivial to pull off, but its severity is undiminished. That is exactly why updating to the fixed version is worth hurrying.
Affected products and fixed builds at a glance
Here are the four affected products, with their fixed builds and release dates. Compare them against the build number of the product you run; if yours is older than the one below, you need to update. The fixes have been rolling out since early June 2026.
| Product | Affected build | Fixed build | Fix release date |
|---|---|---|---|
| ADSelfService Plus | 6528 and earlier | 6529 | June 3, 2026 |
| RecoveryManager Plus | 6320 and earlier | 6321 | June 5, 2026 |
| M365 Manager Plus | 4816 and earlier | 4817 | June 10, 2026 |
| ADAudit Plus | 8702 and earlier | 8703 | June 12, 2026 |
In every case, what is affected is not standalone use but a configuration integrated with AD360. The fix for each product is distributed as a "service pack," which you can apply from the product's update menu or from ManageEngine's service-pack download page.
What is happening technically
The heart of the problem is how the "ticket" issued to authenticate an SSO session is generated. According to ManageEngine, when you sign in to these products via SSO through AD360, the ticket generated to authenticate that session was predictable to an unauthenticated attacker. A ticket should be a random value that no third party can guess.
This is classified as use of insufficiently random values (CWE-330) and generation of predictable identifiers (CWE-340), which in turn lead to improper authentication (CWE-287). By guessing a valid ticket, the advisory says, an attacker can obtain the target user's identity and role information and take over the account.
Reading the CVSS vector (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), the attack can succeed over the network, with no prior authentication and no user action. On the other hand, the "attack complexity: high (AC:H)" rating means that predicting the ticket requires certain conditions and attempts, and is not something just anyone can reproduce easily. Even so, given that an account can be seized without authentication and the breadth of the impact, the overall score is rated 9.0 (Critical). Zoho says it has strengthened how tickets are generated so they can no longer be predicted.
What administrators should do now
No workaround (a temporary mitigation via configuration change) has been published. The response is updating to the fixed build, which is the only measure. Step by step:
1. Check your configuration. First, confirm whether you use any of ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, or ADAudit Plus integrated with AD360. If you have not integrated with AD360, you are not directly within scope of this issue.
2. Check your build number and update. If a product's build is older than the one in the table above, apply the distributed service pack. ADSelfService Plus is fixed at 6529, RecoveryManager Plus at 6321, M365 Manager Plus at 4817, and ADAudit Plus at 8703 and later. The update steps can be reached from each product's advisory.
3. Review your exposure. These management tools generally do not need to be broadly exposed to the internet. Check that they are not directly accessible from outside, using firewalls and access restrictions. This is also a basic measure to limit the damage if another vulnerability appears.
ManageEngine's account-management products have a history of authentication-bypass vulnerabilities being exploited in real attacks and listed multiple times in the U.S. government's Known Exploited Vulnerabilities (KEV) catalog. CVE-2026-11374 is not in KEV as of writing and no exploitation has been reported, but keeping in mind that this is an often-targeted product, it is safest not to put off the update. For similar "authentication bypass in a login platform," cases like the authentication bypass in the login platform Casdoor and the account takeover in GitLab share a common point: self-hosted products tend to lag on updates and are therefore more dangerous.
What we know, and what we don't yet
β Confirmed facts
- βIn AD360-integrated deployments of the four products including ADSelfService Plus, a predictable SSO ticket allows account takeover without authentication (ManageEngine official advisory)
- βCVSS 9.0 (Critical). Classified as CWE-287 / 330 / 340 (NVD)
- βFixed builds = ADSelfService Plus 6529 / RecoveryManager Plus 6321 / M365 Manager Plus 4817 / ADAudit Plus 8703, shipping since early June 2026
- βDiscovered by 0xmanhnv via the Zoho Bug Bounty program
? Not yet confirmed
- ?Exploitation in real attacks β not in KEV as of writing, no in-the-wild reports
- ?A verifiable public PoC (proof-of-concept exploit) β none identified
- ?The specific conditions required to predict a ticket β undisclosed (attack complexity rated "high")
Frequently asked questions
Q. I use a ManageEngine product standalone. Am I affected?
This advisory covers configurations where the four products are integrated with the AD360 suite. There is no mention of the vulnerability for standalone use. That said, since the fixed builds are shipping steadily, it is safest to update to the latest service pack regardless of configuration.
Q. It's CVSS 9.0, yet "attack complexity is high"? What does that mean?
The overall CVSS score combines the size of the impact (an account can be seized without authentication) and how easy the attack is. Here the impact is extremely large, while predicting the ticket requires certain conditions and attempts, so attack complexity is rated "high." The overall figure comes out high at 9.0, but it does not necessarily mean "anyone can exploit it instantly."
Q. Is there a risk it is already being attacked?
As of writing, no in-the-wild exploitation or KEV listing has been confirmed. However, ManageEngine's account-management products have been targeted in the past, so you cannot let your guard down. Not putting off the update is the best preparation.