CVE-2026-11374: ManageEngine Predictable SSO Tokens Across Four Enterprise Products (CVSS 9.0)

nick

CVE-2026-11374: ManageEngine Predictable SSO Tokens Across Four Enterprise Products (CVSS 9.0)

by

CVE: CVE-2026-11374 | CVSS 3.1: 9.0 (CRITICAL) | CWE: CWE-340 (Generation of Predictable Numbers or Identifiers) | Vendor: ManageEngine (Zoho Corp) | Product: ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, ADAudit Plus | Affected versions: Multiple versions across all four products

What Is the Vulnerability

CVE-2026-11374 is a critical vulnerability in ManageEngine’s SSO token generation mechanism that affects four major enterprise products simultaneously: ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus. The vulnerability stems from insufficient randomness in the generation of Single Sign-On (SSO) tokens — the tokens are predictable rather than cryptographically secure.

This is a cross-product vulnerability because all four products share a common SSO token generation library. The predictable token generation means an attacker who can observe or compute SSO token patterns can generate valid tokens that impersonate any authenticated user. Once a valid SSO token is forged, the attacker gains full session hijacking capabilities — they can access any resource the impersonated user is authorized for, across all four affected products.

The attack surface is significant: these ManageEngine products are widely deployed in enterprise environments for identity management (ADSelfService Plus handles self-service password resets and MFA for Active Directory), backup and recovery (RecoveryManager Plus for AD and Exchange), Microsoft 365 administration (M365 Manager Plus), and auditing (ADAudit Plus for compliance and change tracking). A single predictable token flaw in the shared library compromises the authentication boundary of the entire suite.

The CVSS 3.1 score of 9.0 reflects the combination of network-accessible attack vector, low attack complexity, no privileges required, no user interaction, and high impact to confidentiality, integrity, and availability.

Versions Affected

  • ManageEngine ADSelfService Plus — multiple versions (refer to ManageEngine advisory for exact builds)
  • ManageEngine RecoveryManager Plus — multiple versions
  • ManageEngine M365 Manager Plus — multiple versions
  • ManageEngine ADAudit Plus — multiple versions

Exploited?

There is no known active exploitation of CVE-2026-11374 in the wild at this time. However, given the critical severity and the relative ease of exploiting predictable token generation, organizations should treat this as a high-priority patching item before exploitation patterns emerge.

Fix

ManageEngine has released patches for all four affected products. The fix replaces the predictable token generation algorithm with a cryptographically secure random number generator (CSRNG). Organizations should upgrade each affected product to the patched version specified in the respective ManageEngine security advisory. Because the vulnerability is in a shared library, all four products must be updated — patching only one or two leaves the remaining products exposed through the same predictable token mechanism.

Patch links and build numbers are available in the official ManageEngine security advisories linked in the references section below.

Recommendations

  • Immediately inventory all ManageEngine deployments in your environment — specifically ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus.
  • Apply the vendor-provided patches to all four products. Do not skip any product — the shared library means partial patching leaves residual risk.
  • If immediate patching is not possible, restrict network access to ManageEngine administrative interfaces to trusted IP ranges only.
  • Monitor authentication logs for anomalous SSO token usage patterns — such as tokens being used from unexpected IP addresses or at unusual times.
  • Consider rotating all active sessions and SSO tokens after patching, as tokens generated before the patch remain predictable.

References

Part of the Vulnerability Intelligence series on threat-modeling.com. See the June 24, 2026 Vulnerability Intelligence Report for broader context.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!