External risk intelligence

ManageEngine Products Account Takeover Via Predictable SSO Tickets

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-11374

The affected products are self-service identity, password management, and auditing portals designed to be accessible to end-users for authentication and account management. These services are commonly deployed to be internet-facing or reachable by a broad user base to facilitate remote access and self-service capabilities.

Authentication Bypass

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in several ManageEngine products, specifically related to how authentication tickets are generated. An attacker could potentially predict these tickets without needing to log in, which could allow them to take over user accounts. This impacts systems that handle identity and access management, and its relevance needs to be confirmed for our environment.

  • Predictable tickets allow unauthorized account access.
  • Affects identity and access management systems.
  • Confirm relevance and exposure for our environment.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could predict special tickets used to verify user sessions in several ManageEngine products. This could allow an attacker to impersonate legitimate users and gain unauthorized access to accounts.

  • Attacker needs network access.
  • Predictable session tickets.
  • Account takeover.

Live Threat

Current exploitation, exposure, and threat context

SSO tickets used for session authentication in specific ManageEngine products could be predicted by unauthenticated users, potentially leading to unauthorized access and account takeover. This could affect system access and user account control when these products are accessible externally.

  • User accounts and system access.
  • Ticket prediction by unauthenticated users.
  • Account takeover and unauthorized access.

Operational Fix

Recommended remediation, mitigation, and detection steps

The potential for account takeover through predictable SSO tickets in ManageEngine products like ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus necessitates immediate attention from teams managing these identity and access management solutions. The first practical step is to inventory all instances of these products, confirm their external reachability and business criticality, and identify the accountable system owners. Subsequently, a risk-based remediation plan, potentially involving vendor coordination or temporary mitigating controls, should be developed and executed.

  • Identify and inventory affected systems.
  • Verify external reachability and business impact.
  • Plan remediation based on ownership and risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is ManageEngine ADSelfService Plus and related software?

These are administrative and end-user platforms used to manage identity, passwords, and auditing for Microsoft Active Directory and M365 environments. They act as central portals where users perform self-service tasks like password resets or where administrators monitor system access, making them core components of an organization's identity infrastructure.

How does CVE-2026-11374 cause account takeover?

This vulnerability involves a weakness in how the software generates Single Sign-On (SSO) tickets. Because these tickets are predictable, an attacker can guess them to bypass authentication. This falls under improper authentication and insufficient randomness weaknesses, which allow an unauthorized party to masquerade as a valid user and gain full control over their account sessions.

Do I need to be logged in to trigger this vulnerability?

No. The flaw allows an unauthenticated user to predict the required session tickets remotely. While this requires network access to the target service, it does not require a pre-existing account, a specific session, or any interaction from the legitimate user to successfully forge the necessary credentials for access.

Is my system at high risk according to Halo Surface Signal?

Yes. Halo Surface Signal identifies these products as high-priority because they are designed as self-service portals. They are frequently exposed to the internet or wide internal networks to allow employees easy access for password management. If your instance is reachable from the internet or by a broad, untrusted user base, it is at higher risk of being targeted.

When should I prioritize fixing this ManageEngine vulnerability?

You should prioritize this immediately by creating an inventory of all running instances of these products. Determine which ones are reachable over the network and identify the owners responsible for them. Once you have a clear picture of your environment, coordinate with your IT team to apply the necessary patches or vendor-provided mitigations to protect your user accounts.

References