CVE-2026-11374

EUVD-2026-38423
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted
 by an unauthenticated user, leading to account takeover.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
ZohocorpCNA
9 CRITICAL
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 65%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
zohocorpmanageengine_adselfservice_plus
𝑥
< 6529
CNA
zohocorpmanageengine_adselfservice_plus
𝑥
< 6321
CNA
zohocorpmanageengine_adselfservice_plus
𝑥
< 4817
CNA
zohocorpmanageengine_adselfservice_plus
𝑥
< 8703
CNA
Common Weakness Enumeration
References
https://www.manageengine.com/products/self-service-password/advisory/CVE-2026-11374.html