ZOHO Corporation has disclosed a critical vulnerability in ManageEngine, tracked as CVE-2026-11374, with a CVSS score of 9.0. This flaw allows unauthenticated attackers to predict single sign-on (SSO) tickets, potentially leading to account takeover in several products within the AD360 suite. The affected products include ADSelfService Plus, Recovery Manager Plus, M365 Manager Plus, and ADAudit Plus, all of which have versions that are vulnerable.
Although no active exploitation has been reported, it is vital for administrators to update to the latest service packs to mitigate the risk. The vulnerability stems from weak ticket generation, enabling attackers to gain unauthorized access to user accounts and sensitive data.