Vulnerability intelligence
CVE-2026-11374
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.
CVSS Score
9
Critical
EPSS — Exploit Probability
1.2%
Riskier than 65% of all CVEs
Exploitation
Not in CISA KEV
No federal exploitation record
Remediation
unknown
Check vendor advisories
1 article across 1 outlet · first covered Jun 25, 2026 · latest Jun 25, 2026
Coverage timeline
-
Zoho patches critical SSO ticket flaw in ManageEngine AD360 suitesecurityonline.info · Jun 25, 2026