cbcvebase.
CVE-2020-11547
published 2020-04-05

CVE-2020-11547: PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage…

PriorityP353medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
52.06%
98.8th percentile
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.

Affected

1 ranges
VendorProductVersion rangeFixed in
paesslerprtg_network_monitor< 20.1.57.174520.1.57.1745

Detection & IOCsextracted from sources · hover to see the quote

url/public/login.htm?type=probes
path/public/login.htm
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PRTG Network Monitor Information Disclosure Attempt (CVE-2020-11547)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/public/login.htm?type="; startswith; fast_pattern; pcre:"/^(?:version|cpuload|dnsname|serverhttpurl|windowsversion|systemid|treestat|memory|requests|screenshot|lastsync|probes|warnings)$/Ri"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-11547.yaml; reference:cve,2020-11547; classtype:successful-recon-limited; sid:2056354; rev:1; metadata:affected_product Paessler_PRTG, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_09_30, cve CVE_2020_11547, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Minor, updated_at 2024_09_30, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery; target:dest_ip;)
  • Exploit requests are unauthenticated HTTP GET requests to /public/login.htm or index.htm with a 'type=' query parameter set to one of the known enumeration values (probes, version, cpuload, dnsname, serverhttpurl, windowsversion, systemid, treestat, memory, requests, screenshot, lastsync, warnings).
  • The Snort/ET rule matches on GET requests where the URI starts with /public/login.htm?type= and the type value matches the regex of known disclosure parameters (case-insensitive).
  • Successful exploitation responses will contain body keywords 'prtg_network_monitor', 'Probes', or 'Groups' with HTTP 200 status — use these for response-side detection.
  • MITRE mapping: TA0007 (Discovery) / T1082 (System Information Discovery). Treat detections as reconnaissance activity targeting PRTG web servers.
  • ·The Snort rule (sid:2056354) requires TLS decryption to be effective when PRTG is served over HTTPS, as indicated by the TLSDecrypt/SSLDecrypt deployment metadata.
  • ·The vulnerability affects PRTG Network Monitor versions before 20.1.57.1745; ensure version scoping is applied when deploying detections to avoid false positives on patched instances.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.