Session Prediction Vulnerability in ManageEngine Products
CVE-2026-11374

9CRITICAL

Key Information:

Vendor: Zohocorp
Status: Manageengine Adselfservice Plus; Manageengine Recovery Manager Plus; Manageengine M365 Manager Plus; Manageengine Adaudit Plus
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-11374?

A vulnerability in ManageEngine products allows unauthenticated users to predict single sign-on (SSO) tickets, potentially leading to unauthorized account access. This flaw affects several of their services, including ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, thus presenting significant security risks for organizations relying on these tools.

Affected Version(s)

manageengine_adaudit_plus Windows 0 < 8703

manageengine_adselfservice_plus Windows 0 < 6529

manageengine_m365_manager_plus Windows 0 < 4817

References

https://www.manageengine.com/products/self-service-passwo...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 5, 2026

CVE-2026-11374 Data

JSON

Zohocorp

What is CVE-2026-11374?

Affected Version(s)

References

CVSS V3.1

Timeline