by an unauthenticated user, leading to account takeover.
Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| zohocorp | manageengine_adselfservice_plus | unaffected |
|
||||||
| zohocorp | manageengine_recovery_manager_plus | unaffected |
|
||||||
| zohocorp | manageengine_m365_manager_plus | unaffected |
|
||||||
| zohocorp | manageengine_adaudit_plus | unaffected |
|
No data.
No data.
| Vendor | Product | Confidence | Versions | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Zohocorp | Manageengine Adaudit Plus | 100% |
|
||||||||
| Zohocorp | Manageengine Adselfservice Plus | 100% |
|
||||||||
| Zohocorp | Manageengine M365 Manager Plus | 100% |
|
||||||||
| Zohocorp | Manageengine Recovery Manager Plus | 100% |
|
Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 24 Jun 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
ssvc
|
Tue, 23 Jun 2026 12:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Zohocorp
Zohocorp manageengine Adaudit Plus Zohocorp manageengine Adselfservice Plus Zohocorp manageengine M365 Manager Plus Zohocorp manageengine Recovery Manager Plus |
|
| Vendors & Products |
Zohocorp
Zohocorp manageengine Adaudit Plus Zohocorp manageengine Adselfservice Plus Zohocorp manageengine M365 Manager Plus Zohocorp manageengine Recovery Manager Plus |
|
| Metrics |
ssvc
|
Tue, 23 Jun 2026 09:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover. | |
| Title | Account Takeover via Predictable SSO Ticket Generation | |
| Weaknesses | CWE-287 CWE-330 CWE-340 |
|
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Zohocorp
Published:
Updated: 2026-06-24T15:48:27.756Z
Reserved: 2026-06-05T12:25:17.739Z
Link: CVE-2026-11374
Vulnrichment
Updated: 2026-06-23T12:03:53.541Z
NVD
No data.
Redhat
No data.
OpenCVE Enrichment
Updated: 2026-06-24T12:00:05Z