CVE-2026-11374
CriticalCVSS 9.0Exploitation Probability (EPSS)
Elevated risk65th percentile — higher than 65% of all known CVEs
Summary
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, SSO tickets generated to authenticate the session could be predicted by an unauthenticated user, leading to account takeover.
Risk Assessment
The predictability of SSO tickets poses a risk of account takeover, which could lead to unauthorized access to sensitive data and organizational resources.
Recommendation
It is recommended to update the software to the latest version and implement additional security mechanisms to minimize the risk of SSO ticket prediction.
Original NVD description (English source)
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.

