Description
Zohocorp ManageEngine Log360 versions 13000 through 13013 are vulnerable to authentication bypass on certain actions due to improper filter configuration.
Published: 2026-04-16
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

Zohocorp ManageEngine Log360 versions 13.0.0 through 13.0.13 allow an attacker to bypass authentication on certain privileged actions. The flaw arises from an improper filter configuration that can be exploited to gain unauthorized access, effectively allowing an attacker to log in without credentials. This violation of authentication integrity is categorized as CWE‑288, which directly compromises system security and confidentiality.

Affected Systems

The affected product is Zohocorp ManageEngine Log360, specifically versions 13.0.0 to 13.0.13 inclusive. Users running any of these versions are vulnerable to the described authentication bypass.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.2, indicating high severity. EPSS data is currently unavailable, so while the exact likelihood of exploitation is unknown, the high CVSS score suggests a significant risk if exploited. The flaw is not yet listed in the CISA KEV catalog. The likely attack vector involves both remote exploitation over a network that can reach the Log360 instance and local attackers with network access, as the bypass operates through misconfigured system filters that can be triggered via HTTP requests to privileged actions.

Generated by OpenCVE AI on April 17, 2026 at 02:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ManageEngine Log360 to the latest version that addresses the authentication bypass vulnerability.
  • If an immediate patch is not possible, restrict external network access to the Log360 management interface and enforce strong network segmentation.
  • Enable two‑factor authentication and monitor for anomalous login attempts to detect potential bypass attempts.

Generated by OpenCVE AI on April 17, 2026 at 02:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Zohocorp ManageEngine Log360 versions 13000 through 13013 are vulnerable to authentication bypass on certain actions due to improper filter configuration.
Title Authentication Bypass
First Time appeared Zohocorp
Zohocorp manageengine Log360
Weaknesses CWE-288
CPEs cpe:2.3:a:zohocorp:manageengine_log360:*:*:*:*:*:*:*:*
Vendors & Products Zohocorp
Zohocorp manageengine Log360
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Zohocorp Manageengine Log360
cve-icon MITRE

Status: PUBLISHED

Assigner: Zohocorp

Published:

Updated: 2026-04-16T15:21:19.911Z

Reserved: 2026-02-27T11:27:10.762Z

Link: CVE-2026-3324

cve-icon Vulnrichment

Updated: 2026-04-16T15:21:08.790Z

cve-icon NVD

Status : Received

Published: 2026-04-16T15:17:38.010

Modified: 2026-04-16T15:17:38.010

Link: CVE-2026-3324

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T03:00:08Z

Weaknesses