Cybersecurity & Protection

ManageEngine AD360: Critical SSO Flaw Enables Account Takeover, Patches Available

Jul 4, 2026 2 min read
All articles

A critical vulnerability in ManageEngine AD360 lets attackers take over other users' accounts. Four products are affected once they run as components inside AD360, and vendor Zoho has already shipped fixes.

Tracked as CVE-2026-11374, the flaw scores 9.0 on the CVSS scale. It sits in single sign-on. When someone signs in via SSO to one of the integrated products, the system issues a ticket for the session. Because those tickets are predictable, an unauthenticated attacker can guess a valid one and assume the victim's identity and privileges. The attack works over the network, with no credentials and no action from the user. It is not trivial, though, since predicting the tickets takes considerable effort, which is why the CVSS score stops short of the maximum.

Affected products

The issue only matters with AD360 integration. Zoho ships the fixes across several service packs with different release dates:

  • ADSelfService Plus: vulnerable up to build 6528, fixed in 6529 (2026-06-03)
  • RecoveryManager Plus: vulnerable up to build 6320, fixed in 6321 (2026-06-05)
  • M365 Manager Plus: vulnerable up to build 4816, fixed in 4817 (2026-06-10)
  • ADAudit Plus: vulnerable up to build 8702, fixed in 8703 (2026-06-12)

What you should do now

The vendor now generates SSO tickets in a way that can no longer be predicted. Install the latest service pack from the product pages and prioritize installations that use AD360 integration. The vulnerability was reported by security researcher 0xmanhnv through Zoho's bug bounty program. There are no signs of exploitation in the wild so far, and it has not been added to CISA's KEV catalog.