CVE-2021-20136
📋 TL;DR
CVE-2021-20136 is an unauthenticated remote code execution vulnerability in ManageEngine Log360. Attackers can overwrite the database configuration to point to a malicious database, then force Log360 to restart and execute attacker-controlled code. Organizations running Log360 builds before 5235 are affected.
💻 Affected Systems
- ManageEngine Log360
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the Log360 server, potentially leading to data theft, lateral movement, and persistent backdoor installation.
Likely Case
Remote code execution allowing attackers to deploy malware, exfiltrate sensitive log data, or use the server as a foothold for further attacks.
If Mitigated
No impact if properly patched or network-isolated; limited impact if only accessible to trusted internal networks.
🎯 Exploit Status
Exploitation is straightforward with publicly available proof-of-concept code; requires network access to Log360 service.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 5235 or later
Vendor Advisory: https://www.manageengine.com/products/eventlog/security-updates/cve-2021-20136.html
Restart Required: Yes
Instructions:
1. Download Log360 Build 5235 or later from ManageEngine website. 2. Backup current configuration. 3. Install the update following ManageEngine's upgrade guide. 4. Restart the Log360 service.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to Log360 management interface to trusted IP addresses only.
Use firewall rules to block all external access to Log360 ports (typically 8020, 8021, 8443)
Service Account Hardening
windowsRun Log360 service with minimal privileges to limit impact of potential exploitation.
Configure Log360 service to run as a dedicated non-administrator service account
🧯 If You Can't Patch
- Isolate Log360 server on a dedicated VLAN with strict network access controls
- Implement application-level firewall or WAF to block suspicious requests to Log360 endpoints
🔍 How to Verify
Check if Vulnerable:
Check Log360 build number in the web interface (Admin → About) or installation directory; if build number is less than 5235, system is vulnerable.Check Version:
On Windows: Check 'About' in Log360 web interface or examine installation directory version files. On Linux: Check version in /opt/ManageEngine/Log360/conf/version.txtVerify Fix Applied:
Verify build number is 5235 or higher and test that database configuration cannot be modified by unauthenticated requests.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated POST requests to /RestAPI/LogonCustomization
- Database configuration changes without authentication
- Unexpected Log360 service restarts
Network Indicators:
- Unusual outbound connections from Log360 server to unknown databases
- Traffic patterns indicating configuration overwrite attempts
SIEM Query:
source="Log360" AND (uri_path="/RestAPI/LogonCustomization" OR event_description="Database configuration changed") AND user="anonymous"