ManageEngine has identified a critical vulnerability, designated as CVE-2026-11374, affecting several of its identity and access management products when integrated with the AD360 platform. This flaw enables unauthenticated attackers to predict single sign-on (SSO) tokens, potentially leading to unauthorized account access and exposure of sensitive user information.
The affected products include ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus. These tools are widely utilized in enterprise environments for tasks such as identity governance, Active Directory management, auditing, and Microsoft 365 administration. The vulnerability is particularly concerning due to its potential impact on large-scale deployments.
Details of the AD360 Integration Vulnerability
Security researcher 0xmanhnv reported the vulnerability through Zoho’s BugBounty program, and ManageEngine has acknowledged the responsible disclosure. The issue arises from weaknesses in the generation of SSO tokens during the authentication process. Specifically, when users log in via AD360’s SSO, the system issues tokens to validate sessions. However, it was discovered that these tokens could be predicted by unauthenticated attackers, allowing them to craft valid session tokens without legitimate credentials.
Exploiting this flaw could enable attackers to impersonate users, gaining unauthorized access to systems and retrieving user identity details and role-based access information. This access could facilitate privilege escalation, depending on the compromised account’s permissions. In environments where AD360 serves as a central identity hub, the risk is amplified, as multiple integrated services could be compromised through a single attack.
For example, an attacker could generate a valid SSO token to access ADAudit Plus audit logs and administrative data, conducting internal reconnaissance and potentially moving laterally within the organization.
Affected Versions and Mitigation Measures
The vulnerability affects the following versions:
- ADSelfService Plus version 6528 and earlier
- RecoveryManager Plus version 6320 and earlier
- M365 Manager Plus version 4816 and earlier
- ADAudit Plus version 8702 and earlier
ManageEngine has released patches to address the issue in subsequent versions released between June 3 and June 12, 2026. The updates enhance the SSO token generation mechanism to prevent predictability.
Organizations using the affected products are strongly advised to apply the latest service packs immediately to secure their environments. Additionally, security teams should monitor authentication logs for unusual SSO activity and review access permissions across critical accounts. Strengthening access controls and limiting exposure of identity services can further mitigate the risk of exploitation.
This incident underscores the importance of robust authentication mechanisms and proactive vulnerability management in safeguarding enterprise systems. Organizations should remain vigilant and ensure timely application of security patches to protect against emerging threats.
