CVE-2020-11547
published 2020-04-05CVE-2020-11547: PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage…
PriorityP353medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
52.06%
98.8th percentile
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| paessler | prtg_network_monitor | < 20.1.57.1745 | 20.1.57.1745 |
Detection & IOCsextracted from sources · hover to see the quote
path/public/login.htm
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PRTG Network Monitor Information Disclosure Attempt (CVE-2020-11547)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/public/login.htm?type="; startswith; fast_pattern; pcre:"/^(?:version|cpuload|dnsname|serverhttpurl|windowsversion|systemid|treestat|memory|requests|screenshot|lastsync|probes|warnings)$/Ri"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-11547.yaml; reference:cve,2020-11547; classtype:successful-recon-limited; sid:2056354; rev:1; metadata:affected_product Paessler_PRTG, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_09_30, cve CVE_2020_11547, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Minor, updated_at 2024_09_30, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery; target:dest_ip;)
- →Exploit requests are unauthenticated HTTP GET requests to /public/login.htm or index.htm with a 'type=' query parameter set to one of the known enumeration values (probes, version, cpuload, dnsname, serverhttpurl, windowsversion, systemid, treestat, memory, requests, screenshot, lastsync, warnings). ↗
- →The Snort/ET rule matches on GET requests where the URI starts with /public/login.htm?type= and the type value matches the regex of known disclosure parameters (case-insensitive).
- →Successful exploitation responses will contain body keywords 'prtg_network_monitor', 'Probes', or 'Groups' with HTTP 200 status — use these for response-side detection.
- →MITRE mapping: TA0007 (Discovery) / T1082 (System Information Discovery). Treat detections as reconnaissance activity targeting PRTG web servers.
- ·The Snort rule (sid:2056354) requires TLS decryption to be effective when PRTG is served over HTTPS, as indicated by the TLSDecrypt/SSLDecrypt deployment metadata.
- ·The vulnerability affects PRTG Network Monitor versions before 20.1.57.1745; ensure version scoping is applied when deploying detections to avoid false positives on patched instances. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS PRTG Network Monitor Information Disclosure Attempt (CVE-2020-11547)
suricata·2024-09-30·CVSS 5.3
CVE-2020-11547 [MEDIUM] ET WEB_SPECIFIC_APPS PRTG Network Monitor Information Disclosure Attempt (CVE-2020-11547)
ET WEB_SPECIFIC_APPS PRTG Network Monitor Information Disclosure Attempt (CVE-2020-11547)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PRTG Network Monitor Information Disclosure Attempt (CVE-2020-11547)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/public/login.htm?type="; startswith; fast_pattern; pcre:"/^(?:version|cpuload|dnsname|serverhttpurl|windowsversion|systemid|treestat|memory|requests|screenshot|lastsync|probes|warnings)$/Ri"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-11547.yaml; reference:cve,2020-11547; classtype:successful-recon-limited; sid:2056354; rev:1; metadata:affected_product Paessler_PRTG, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_09_30, cv
Nuclei
PRTG Network Monitor <20.1.57.1745 - Information Disclosure
nuclei·CVSS 5.3
CVE-2020-11547 [MEDIUM] PRTG Network Monitor <20.1.57.1745 - Information Disclosure
PRTG Network Monitor Configuration Requests Sent')"
- type: word
part: body
words:
- "prtg_network_monitor"
- "Probes"
- "Groups"
condition: or
- type: status
status:
- 200
# digest: 490a0046304402202b0c8a6e43ad3aecffccaeda28cdce084f72f0644268a55b817534cc4833133002205bc1891d78b818d6ae37b92f720522dbe2eca4f0231cd34a39b34aa39b2464ff:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2020-04-05
Published