HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11374Published Modified CNA Zohocorp

CVE-2026-11374: Account Takeover via Predictable SSO Ticket Generation

In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.

Metrics

CVSS v3.1
9.0
Severity
CRITICAL
Fixed in
4817
Affected Products
4

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authentication bypass via predictable SSO ticket generation affecting ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus. The vulnerability is reachable over the network and requires no authentication, though successful exploitation depends on environmental timing and prediction conditions (CVSS AC:H). A remote unauthenticated attacker who predicts a valid SSO ticket gains full account takeover, with complete read, write, and availability impact across the affected service and potentially connected systems (CVSS scope change: C). Patched-image rebuilds at the respective fix versions (4817, 6321, 6529, 8703) are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-11374 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication via continuous ingestion from upstream advisory feeds. Coverage extends to custom-built images that bundle any of the four affected ManageEngine products, not just official vendor images.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.0 Critical (v3.1) and weighting it against each customer organization's configured compliance policy to determine urgency tier. Triage routing directs the finding to the appropriate team inbox within each customer org based on image ownership and policy assignments.

Available
Patch

A patched-image rebuild at each respective fix version (ADSelfService Plus 6529, RecoveryManager Plus 6321, M365 Manager Plus 4817, ADAudit Plus 8703) is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard is capable of performing the rebuild, running a regression test suite, and opening a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the affected service over the network; all four products expose network-accessible endpoints that serve SSO ticket validation.

  • AuthenticationNot required

    No account or credentials are needed at any point; ticket prediction is performed entirely by an unauthenticated party.

  • Victim interactionNot required

    Exploitation is fully attacker-driven and does not require any action from a logged-in user or administrator.

  • Attack complexityDetail

    Attack complexity is rated High, meaning the attacker must overcome environmental conditions such as timing constraints or entropy-related factors to successfully predict a valid SSO ticket.

Blast Radius

  • A successful attacker takes over an arbitrary user account, including administrator accounts, on the targeted ManageEngine product.
  • With a hijacked session the attacker reads sensitive directory data, audit logs, M365 tenant configurations, and stored credentials or recovery information managed by the platform.
  • The attacker modifies user accounts, recovery workflows, audit configurations, or M365 policy objects persisted by the affected service.
  • Because the CVSS scope is changed (S:C), the attacker can pivot from the compromised ManageEngine product into connected systems such as Active Directory, Azure AD tenants, or any service the platform is authorized to manage.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11374 fires within minutes of ingestion for any customer image containing an affected version of ADSelfService Plus (below 6529), RecoveryManager Plus (below 6321), M365 Manager Plus (below 4817), or ADAudit Plus (below 8703). Given the Critical severity and scope-changed CVSS vector, this CVE qualifies for expedited handling. For customers who opt into auto-remediation, HarborGuard is capable of rebuilding the image at the appropriate fix version, running a regression test, and opening a PR against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image is staged and the finding is routed to the responsible team inbox with full context. Customers who cannot immediately apply the fix should consider isolating affected ManageEngine instances behind a network policy that restricts inbound SSO endpoint access to known IP ranges, and review audit logs for anomalous session activity tied to SSO ticket usage.

See how HarborGuard automates this

Fix available

4817632165298703
Affected packages
  • zohocorp / manageengine_adselfservice_plus
    < 6529 (from 0)
  • zohocorp / manageengine_recovery_manager_plus
    < 6321 (from 0)
  • zohocorp / manageengine_m365_manager_plus
    < 4817 (from 0)
  • zohocorp / manageengine_adaudit_plus
    < 8703 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
References