Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-11374

CVE-2026-11374: ManageEngine SSO Auth Bypass Vulnerability

CVE-2026-11374 is an authentication bypass flaw in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus. Predictable SSO tickets enable account takeover attacks by unauthenticated users.

Published:

CVE-2026-11374 Overview

CVE-2026-11374 is an authentication weakness affecting multiple Zoho ManageEngine products, including ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus. The flaw resides in how Single Sign-On (SSO) tickets are generated to authenticate user sessions. An unauthenticated remote attacker can predict these tickets and impersonate legitimate users. Successful exploitation results in full account takeover within the affected ManageEngine applications. The weakness is categorized under [CWE-287] Improper Authentication. ManageEngine published a security advisory acknowledging the issue and released fixed builds.

Critical Impact

Predictable SSO tickets allow unauthenticated attackers to take over accounts across four ManageEngine identity and audit products, bypassing primary authentication controls.

Affected Products

  • ManageEngine ADSelfService Plus
  • ManageEngine RecoveryManager Plus
  • ManageEngine M365 Manager Plus
  • ManageEngine ADAudit Plus

Discovery Timeline

  • 2026-06-23 - CVE-2026-11374 published to the National Vulnerability Database (NVD)
  • 2026-06-24 - Last updated in NVD database

Technical Details for CVE-2026-11374

Vulnerability Analysis

The vulnerability stems from insufficient entropy in the SSO ticket generation routine used by the affected ManageEngine products. When a session is authenticated via SSO, the application issues a ticket that the client subsequently presents to prove identity. Because the ticket values are predictable, an attacker can derive valid tickets without first authenticating. The flaw maps to [CWE-287] Improper Authentication and impacts identity-critical applications that often manage Active Directory, Microsoft 365, and audit data. Compromise grants attackers access to sensitive directory operations, password resets, and audit log manipulation.

Root Cause

The root cause is the use of a weak or deterministic algorithm to generate SSO tickets. Ticket values do not incorporate sufficient cryptographic randomness, allowing remote attackers to enumerate or predict valid values. This is a classic broken authentication pattern where the secret token used to bind a session to a user can be guessed by an unauthenticated party. ManageEngine addressed the issue by replacing the ticket generation logic in updated builds referenced in the vendor advisory.

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker reaches the SSO endpoint exposed by the affected ManageEngine product over HTTP or HTTPS. The attacker predicts a valid SSO ticket for a target user and submits it to the authentication handler. The application accepts the forged ticket and establishes an authenticated session as the targeted account. Where administrative accounts are targeted, the attacker inherits full management capabilities over the directory or audit platform. See the ManageEngine Security Advisory for technical details on the affected builds and the corrected ticket generation logic.

Detection Methods for CVE-2026-11374

Indicators of Compromise

  • Successful SSO authentication events for users who did not initiate an SSO flow from their identity provider.
  • Bursts of failed or malformed SSO ticket submissions to ManageEngine endpoints from a single source IP.
  • New administrative actions in ADSelfService Plus, ADAudit Plus, RecoveryManager Plus, or M365 Manager Plus that do not correlate with a prior interactive login.
  • Session creation from geolocations or user agents not previously associated with the user account.

Detection Strategies

  • Review ManageEngine application access logs for SSO ticket validation events lacking a corresponding identity provider assertion.
  • Correlate ManageEngine authentication events with upstream IdP logs to identify sessions established without a matching SAML or OIDC transaction.
  • Alert on anomalous administrative operations such as bulk password resets, audit policy changes, or mailbox configuration changes performed by service or admin accounts.

Monitoring Recommendations

  • Forward ManageEngine product logs to a centralized SIEM and retain authentication telemetry for at least 90 days.
  • Monitor outbound and inbound network traffic to ManageEngine web consoles, focusing on repeated requests to SSO ticket endpoints.
  • Track changes to privileged group membership in Active Directory and Entra ID that originate from ManageEngine service accounts.

How to Mitigate CVE-2026-11374

Immediate Actions Required

  • Upgrade ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus to the fixed builds listed in the ManageEngine advisory.
  • Restrict network access to ManageEngine consoles to trusted management networks until patching is complete.
  • Rotate credentials and API keys for any service accounts integrated with the affected products.
  • Invalidate active SSO sessions and force re-authentication after applying the patch.

Patch Information

ManageEngine has released fixed builds for each affected product. Administrators should consult the ManageEngine Security Advisory for the specific build numbers and upgrade procedures applicable to their deployment.

Workarounds

  • Place ManageEngine web consoles behind a VPN or reverse proxy that enforces strong authentication before reaching the SSO endpoint.
  • Disable SSO temporarily and require direct multi-factor authentication for administrative accounts where business processes allow.
  • Apply web application firewall rules to rate-limit and inspect requests to ManageEngine SSO ticket validation endpoints.
bash
# Example: restrict access to ManageEngine console with iptables
iptables -A INPUT -p tcp --dport 8888 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8888 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.