ManageEngine AD360 Integration Flaw Exposes User Identity and Role Information to Attackers
ManageEngine disclosed CVE-2026-11374, a high-severity vulnerability in AD360 integration that lets unauthenticated attackers predict SSO tokens, enabling account takeover and privilege escalation.
ManageEngine has disclosed a high-severity vulnerability, tracked as CVE-2026-11374, affecting several of its identity and access management solutions when integrated with AD360. The flaw could allow unauthenticated attackers to predict single sign-on (SSO) tokens, potentially leading to account takeover and exposure of sensitive user information. The issue affects ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus when deployed within the ManageEngine AD360 environment. These tools are commonly used across enterprise networks for identity governance, Active Directory management, auditing, and Microsoft 365 administration, making the vulnerability particularly significant in large-scale deployments.
The vulnerability was reported by security researcher 0xmanhnv through the Zoho BugBounty program, and ManageEngine has credited the researcher for the responsible disclosure. According to the advisory, the vulnerability stems from weaknesses in the generation of SSO tickets during authentication. When a user logs in via AD360's SSO, the system issues a token to validate the session. However, researchers found that an unauthenticated attacker could predict these tokens. This predictability opens the door for attackers to craft valid session tokens without needing legitimate credentials.
Exploitation of this flaw could allow attackers to impersonate users and gain unauthorized access to systems. In such scenarios, attackers may retrieve user identity details and role-based access information, which could, in turn, enable privilege escalation depending on the compromised account. In environments where AD360 acts as a central identity hub, this risk becomes more severe as multiple integrated services could be exposed through a single successful attack. An attacker could generate a valid SSO token to gain unauthorized access to ADAudit Plus audit logs and administrative data, enabling internal reconnaissance and potential lateral movement within the organization.
The vulnerability affects ADSelfService Plus version 6528 and earlier, RecoveryManager Plus version 6320 and earlier, M365 Manager Plus version 4816 and earlier, and ADAudit Plus version 8702 and earlier. ManageEngine has released patches to address the issue in subsequent versions released between June 3 and June 12, 2026. To mitigate the risk, ManageEngine has strengthened the SSO ticket generation mechanism to ensure tokens are no longer predictable.
Organizations using affected products are strongly advised to apply the latest service packs immediately to secure their environments. In addition to patching, security teams should closely monitor authentication logs for unusual SSO activity and review access permissions across critical accounts. Strengthening access controls and limiting exposure of identity services can further reduce the risk of exploitation.
This vulnerability underscores the critical importance of secure token generation in identity and access management systems. As enterprises increasingly rely on SSO for streamlined authentication, any weakness in token predictability can have cascading effects across the entire infrastructure. The disclosure also highlights the value of bug bounty programs in identifying and responsibly disclosing such flaws before they can be exploited in the wild.