ManageEngine Patches Critical Account Takeover Flaw in AD360 Suite (CVE-2026-11374) ManageEngine has disclosed a critical vulnerability, CVE-2026-11374, enabling unauthenticated account takeovers in its AD360 identity and access management suite. The flaw affects multiple integrated products ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus when used with AD360 via single sign-on (SSO). The vulnerability stems from predictable SSO ticket generation, allowing attackers to craft or guess valid authentication tokens without credentials. Successful exploitation grants access to a user’s identity and role, potentially leading to full account compromise, privilege escalation, or lateral movement within enterprise networks. Affected versions include: - ADSelfService Plus (builds ≤6528, patched in 6529 on June 3, 2026) - RecoveryManager Plus (builds ≤6320, patched in 6321 on June 5, 2026) - M365 Manager Plus (builds ≤4816, patched in 4817 on June 10, 2026) - ADAudit Plus (builds ≤8702, patched in 8703 on June 12, 2026) ManageEngine addressed the issue by strengthening SSO ticket generation to prevent predictability. The vulnerability was responsibly disclosed by security researcher 0xmanhnv via the Zoho BugBounty program. Given AD360’s role in managing Active Directory, password self-service, auditing, and Microsoft 365 administration, the flaw poses a high-risk threat to enterprises relying on these tools. Organizations are urged to apply patches immediately due to the vulnerability’s pre-authentication nature.