Critical SSO Vulnerability in ManageEngine Allows Account Takeover

Zoho Corp. ManageEngine has disclosed a critical vulnerability tracked as CVE-2026-11374, affecting several of its products when integrated with AD360. The flaw allows attackers to predict single sign-on (SSO) tokens, potentially leading to account takeover and exposure of sensitive user information. Affected products include ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, with specific vulnerable versions listed. The vulnerability has a CVSS score of 9.0, indicating a critical risk. As of now, there are no confirmed reports of exploitation in the wild. Users are advised to update to the latest versions to mitigate the risk. The vulnerability was reported through the Zoho bug bounty program. This follows previous disclosures of critical vulnerabilities in ManageEngine products last November.

Key Points: • CVE-2026-11374 is a critical vulnerability allowing account takeover via SSO. • Affected products include ADSelfService Plus and RecoveryManager Plus, with versions listed. • No known exploitation has occurred yet, but users are urged to update immediately.