Cyber Resilience

CVE-2026-3324

High

Published: 16 April 2026

Published
16 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0132 67.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3324 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-3324 is an authentication bypass vulnerability in Zohocorp ManageEngine Log360 versions 13000 through 13013, stemming from improper filter configuration and mapped to CWE-288. Published on 2026-04-16, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to its network accessibility and lack of prerequisites for exploitation.

Unauthenticated attackers with network access to a vulnerable Log360 instance can exploit this issue with low complexity and no user interaction required. Successful exploitation enables bypass of authentication on certain actions, resulting in high confidentiality impact—such as unauthorized access to sensitive log data—and low integrity impact, with no disruption to availability.

Mitigation details are available in the vendor advisory at https://www.manageengine.com/log-management/advisory/CVE-2026-3324.html.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Zohocorp ManageEngine Log360 versions 13000 through 13013 are vulnerable to authentication bypass on certain actions due to improper filter configuration.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1654 Log Enumeration Discovery
Adversaries may enumerate system and service logs to find useful data.
Why these techniques?

CVE-2026-3324 enables exploitation of a public-facing log management application (T1190) via authentication bypass, directly facilitating unauthorized access to sensitive logs (T1654).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44574Shared CWE-288
CVE-2025-2747Shared CWE-288
CVE-2025-69101Shared CWE-288
CVE-2026-2628Shared CWE-288
CVE-2025-64121Shared CWE-288
CVE-2026-22733Shared CWE-288
CVE-2026-44575Shared CWE-288
CVE-2025-50904Shared CWE-288
CVE-2025-24846Shared CWE-288
CVE-2026-25002Shared CWE-288

Affected Assets

Zohocorp ManageEngine Log360
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for access to system resources, directly preventing authentication bypass due to improper filter configuration in Log360.

prevent

AC-14 identifies and limits specific actions permitted without identification or authentication, mitigating unauthorized access on vulnerable actions in Log360.

prevent

CM-6 mandates secure configuration settings for components like filters, addressing the improper filter configuration causing the authentication bypass.

References