CVE-2026-11374 – ManageEngine Authentication Security Update

CVSS 9 CRITICAL Critical or Zero Day – Immediate Deployment

“A predictable authentication token can turn a trusted login into an easy target.”

This security update addresses CVE-2026-11374, a critical authentication vulnerability affecting ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus. The issue allows an unauthenticated attacker to predict SSO tickets generated during authentication, potentially leading to account takeover.

The CVSS score is 9.0, which is Critical severity. No verified real-world exploitation or public proof-of-concept has been confirmed. The update strengthens the generation of SSO authentication tickets to prevent prediction and reduce the risk of unauthorized access.

Key Details

Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
CWE Classification
CWE-287
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.