Enterprise IT systems face critical ManageEngine and FortiSandbox vulnerabilities
A critical vulnerability (CVE‑2026‑11374) has been disclosed in several ManageEngine products, including ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus and ADAudit Plus. The flaw makes single‑sign‑on tickets predictable, allowing unauthenticated attackers to hijack accounts and potentially gain access to broader identity‑management functions. The issue is especially relevant for organisations in Germany, Austria and Switzerland that rely on these tools for password‑reset, recovery and audit processes.
Separately, three high‑severity flaws in Fortinet’s FortiSandbox appliance (CVE‑2026‑39813, CVE‑2026‑39808 and CVE‑2026‑25089) are being actively exploited. Two of the bugs permit unauthenticated code execution via crafted HTTP requests, and a third is being targeted with a faulty exploit. Fortinet released patched firmware in April, and users are urged to update immediately. DefusedCyber reported seeing exploitation on June 15, noting a tweet: “We are observing exploitation of multiple Fortinet FortiSandbox vulnerabilities during the past 24 hours…”. Both sets of vulnerabilities pose significant risk to enterprise networks if left unaddressed.