PT-2026-51487 · Zohocorp · Zoho Manageengine Adaudit Plus+3

Published

2026-06-23

Updated

2026-06-23

CVE-2026-11374

CVSS v3.1

9.0

Critical

Vector

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.

Fix

Use of Insufficiently Random Values

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-330CWE-287CWE-340

Related Identifiers

CVE-2026-11374

Affected Products

Zoho Manageengine Adaudit Plus

Zoho Manageengine Adselfservice Plus

Zoho Manageengine M365 Manager Plus

Zoho Manageengine Recovery Manager Plus

PT-2026-51487 · Zohocorp · Zoho Manageengine Adaudit Plus+3

CVE-2026-11374

Weakness Enumeration

Related Identifiers

Affected Products

References · 2