Friday 26 June 2026 20:03:08 GMT+02:00

Netcrook

HomeManifesto
News
Corporate Security IncidentsCloud, SaaS & Identity SecurityIndustrial Cybersecurity & Critical InfrastructureCyber Intelligence, TrendsAI Security & Agentic SystemsCyber Intelligence & Threat TrendsCyber WarfareCyber Warfare & Nation-State OperationsCyber CriminalityBreaches & Data LeaksCybercrimeMalware & BotnetsRansomware & ExtortionSecurity Awareness & Social EngineeringLegal PolicyLegal, Policy & Government CybersecurityPrivacy, Regulation & ComplianceTechnology, InnovationTechnology, Innovation & Digital InfrastructureVulnerabilities Patch ManagementResearch, Exploits & Offensive SecurityVulnerabilities & Patch Management
Techcrook
Tutte le tecnologieIdentita e accessoFirewall e reteBackup e archiviazioneEnergia e continuitaPrivacy e sicurezza fisicaLaboratorio e prototipazioneStampa e tracciabilitaTecnologia quotidiana
Geocrook
AfricaAsiaEuropeMiddle EastNorth AmericaOceaniaSouth America
WikicrookTeamAppContact
EnglishItalianoArabic
Cloud, SaaS & Identity Security

One Ticket, Many Doors: The ManageEngine Identity Flaw That Could Turn Trust Into Impersonation

25 June 2026 14:32Cloud, SaaS & Identity SecurityAsia / IndiaSHADOWFIREWALL

CVE-2026-11374 shows how a predictable SSO artifact inside an integrated identity suite can become a serious account-takeover risk.

Identity platforms are built to remove friction, but they also concentrate trust. In the case of ManageEngine AD360 deployments that integrate ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, that trust appears to hinge on a single SSO flow. The concern is not abstract: a high-severity flaw tracked as CVE-2026-11374 is reported to let unauthenticated attackers predict SSO tickets and potentially take over targeted user accounts.

Fast Facts

  • CVE-2026-11374 affects AD360-style deployments that include multiple ManageEngine components.
  • The weakness centers on predictable SSO tickets, not on stolen passwords.
  • The issue is described as high-severity and mapped to authentication and randomness weakness classes.
  • Successful abuse could lead to targeted account takeover and exposure of identity or role information.
  • Defenders need to check each affected product build, not only the AD360 umbrella.

How a shared login path becomes the weak point

The technical pattern here is familiar to defenders who track identity bugs: if an attacker can predict a session artifact that a platform treats as proof of identity, the normal login boundary starts to erode. That is why the issue is associated with improper authentication and weak randomness classes. In plain terms, the concern is that an SSO ticket meant to be hard to guess may not have been random enough to resist abuse.

Netcrook analysis suggests the real risk is architectural. AD360 is designed as an integrated identity and access management layer, so one trusted sign-on flow can front several management tools. That does not automatically mean all systems are broken at once, but it does mean one failure in the shared trust mechanism can have a wider blast radius than a standalone application bug.

Why defenders should care

The reported attack path does not require prior authentication, which raises the stakes for any deployment reachable from an untrusted network. At the same time, the available information does not fully establish the precise root cause, all affected configurations, or whether the flaw has been used in the wild. The safe reading is narrower and still serious: if a valid SSO ticket can be predicted, an attacker may be able to impersonate the victim and inherit that user’s access context.

That is enough to make this more than a patch note. It is an identity assurance problem. In centralized admin suites, account takeover can affect audit visibility, helpdesk workflows, password reset functions, and Microsoft 365 management pathways depending on how the products are connected. The exact downstream impact will vary by deployment, but the trust failure is the same.

ManageEngine has also published fixed builds for the affected components, which makes version inventory essential. Security teams should verify whether ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, or ADAudit Plus are deployed as integrated AD360 components, then move to the corrected versions and review authentication logs for unusual session behavior.

TECHCROOK

From a defensive perspective, the most important lesson is that SSO is only as strong as the randomness and verification behind its session artifacts. A predictable ticket is not just a coding flaw. In an enterprise identity stack, it can become a shortcut into the trust layer that everything else depends on.

Conclusion

CVE-2026-11374 is a reminder that identity systems fail in dangerous ways when a small internal token is treated like unquestionable proof. The broader lesson is simple: when one sign-on mechanism governs multiple tools, its unpredictability becomes part of the organization’s security perimeter. In identity security, a guessable ticket can be the difference between access control and impersonation.

TECHCROOK

hardware security key: A physical second-factor device that adds a strong, phishing-resistant login step for admin and employee accounts. Useful for identity platforms, SSO portals, and privileged access workflows.

Scheda Techcrook: hardware security key

WIKICROOK

  • Single Sign-On (SSO): A login method that lets one authenticated session access multiple applications.
  • Session ticket: A token-like artifact used to prove a user has been authenticated.
  • CVSS: A scoring system used to rate the severity of software vulnerabilities.
  • Improper authentication: A flaw where a system does not correctly verify who a user is.
  • Account takeover: Unauthorized control of a user account by an attacker.
SHADOWFIREWALL
AuthorSHADOWFIREWALL

Cloud, SaaS & Identity Security