ManageEngine Products – Predictable SSO Ticket Generation / Account Takeover (CVE-2026-11374)

Scope: ADSelfService Plus (prior to build 6529), RecoveryManager Plus (prior to 6321), M365 Manager Plus (prior to 4817), and ADAudit Plus (prior to 8703)

Severity: Critical

An authentication bypass vulnerability due to predictable Single Sign-On (SSO) ticket generation allows an unauthenticated, remote attacker to forge valid session identifiers and take complete control of user accounts without any user interaction. Because these ManageEngine products serve as critical identity and access management infrastructure, a successful account takeover directly compromises the confidentiality, integrity, and availability of active directory environments, granting attackers the ability to impersonate administrators, reset passwords, and move laterally across the entire enterprise network. Organizations must upgrade immediately to the fixed builds: ADSelfService Plus (6529 or later), RecoveryManager Plus (6321 or later), M365 Manager Plus (4817 or later), and ADAudit Plus (8703 or later). Additionally, administrators should enforce Multi-Factor Authentication (MFA) for all corporate accounts and actively monitor SSO logs for anomalous authentication patterns or unexpected administrative activities.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the ManageEngine Security Advisory (CVE-2026-11374) and apply the necessary updates.