Critical Vulnerability Alert: Predictable SSO Token Generation in ManageEngine AD360 Leads to Account Takeover

A critical security flaw has been identified within ManageEngine’s AD360 identity and access management (IAM) suite, designated as CVE-2026-11374. This vulnerability exposes organizations to potential account takeover (ATO) attacks, allowing unauthenticated actors to bypass standard security protocols and impersonate legitimate users.

The vulnerability is not isolated to a single application but rather affects the interconnected ecosystem of the AD360 suite. Specifically, the flaw manifests when ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus are integrated with AD360 via Single Sign-On (SSO).

Technical Deep Dive: The Mechanics of the Exploit

At the heart of this vulnerability lies a failure in the cryptographic randomness required for secure session management. In a standard SSO workflow, once a user authenticates through the central AD360 hub, the system generates unique SSO tickets (tokens) to facilitate seamless, uninterrupted access to integrated modules. These tokens act as temporary digital keys, proving the user’s identity to downstream applications.

Security researchers discovered that the generation logic for these SSO tickets lacked sufficient entropy. Because the tokens were generated using a predictable pattern or flawed algorithmic logic, an attacker does not need to steal a valid session; they can simply “guess” or mathematically derive a valid token. By injecting a crafted, predicted token into a request, an unauthenticated attacker can trick the integrated products into recognizing them as a valid, authenticated user.

Once the authentication barrier is breached, the attacker can retrieve sensitive identity metadata and role-based access control (RBAC) information. Depending on the privilege level of the impersonated account, this can escalate from simple data exposure to full administrative control over Active Directory operations, Microsoft 365 environments, and system recovery processes.

Affected Versions and Patch Information

ManageEngine has released critical updates to harden the SSO token generation mechanism, introducing high-entropy randomness to prevent predictability. To mitigate this risk, administrators must upgrade to the following builds immediately:

• ADSelfService Plus: Fixed in build 6529 (released June 3, 2026); earlier builds up to 6528 are vulnerable.
• RecoveryManager Plus: Fixed in build 6321 (released June 5, 2026); earlier builds up to 6320 are vulnerable.
• M365 Manager Plus: Fixed in build 4817 (released June 10, 2026); earlier builds up to 4816 are vulnerable.
• ADAudit Plus: Fixed in build 8703 (released June 12, 2026); earlier builds up to 8702 are vulnerable.

For detailed technical advisories and download links, please refer to the official ManageEngine Security Advisory.

Recommended Incident Response and Mitigation

Because this is a pre-authentication vulnerability, the barrier to entry for an attacker is exceptionally low. We recommend the following immediate actions for security operations centers (SOCs):

1. Prioritize Patching: Deploy the latest service packs across all AD360-integrated components. This is the only definitive fix for the underlying logic flaw.
2. Audit Authentication Logs: Scrutinize SSO logs for anomalous patterns, such as multiple successful logins from unexpected IP addresses or unusual sequences of access to different integrated modules in rapid succession.
3. Monitor for Lateral Movement: Given the potential for privilege escalation, review logs for unauthorized changes to Active Directory permissions or unexpected administrative actions in Microsoft 365.
4. Implement Defense-in-Depth: Ensure that multi-factor authentication (MFA) is strictly enforced and that network segmentation limits the blast radius should an IAM component be compromised.

This vulnerability was responsibly disclosed by security researcher 0xmanhnv through the Zoho BugBounty program, highlighting the critical importance of continuous security research in complex IAM environments.