ManageEngine AD360 Vulnerability Discovered

ManageEngine has released security updates to address a critical vulnerability, CVE-2026-11374, affecting its AD360 identity and access management platform. The flaw impacts several integrated products that rely on AD360 for single sign-on (SSO), potentially allowing attackers to take over user accounts without valid credentials.

The vulnerability affects ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus when they are integrated with AD360 through SSO.

ManageEngine AD360 Vulnerability

The issue is caused by weaknesses in the way AD360 generates SSO authentication tickets. Researchers found that these authentication tokens could be predicted, making it possible for an unauthenticated attacker to create a valid SSO ticket and bypass the normal login process.

If successfully exploited, an attacker could impersonate legitimate users, access their accounts, and inherit the permissions associated with those accounts. In environments where privileged administrators are targeted, the vulnerability could lead to complete account compromise, unauthorized access to sensitive data, and further movement across the network.

The following product versions are affected:

ADSelfService Plus 6528 and earlier
RecoveryManager Plus 6320 and earlier
M365 Manager Plus 4816 and earlier
ADAudit Plus 8702 and earlier

ManageEngine has released security updates for all affected products to eliminate the predictable SSO ticket generation issue.

Recommended Actions

Organizations using AD360 should apply the latest product updates as soon as possible to reduce the risk of exploitation. Since the vulnerability can be exploited before authentication, delaying patches may expose enterprise environments to account takeover attacks.

Security teams should also:

Install the latest available builds for all affected products.
Review authentication logs for unusual SSO activity.
Monitor privileged accounts for unexpected login attempts.

The vulnerability was responsibly reported through the Zoho Bug Bounty Program by security researcher 0xmanhnv. ManageEngine has credited the researcher and strengthened its SSO token generation process to prevent similar attacks in future releases.

As identity management platforms are often central to enterprise security, organizations should prioritize patching this vulnerability and continue monitoring authentication activity for any signs of compromise.