CVE-2020-28872 – This vulnerability allows unauthorized attacker... (How to Fix)

Q: What is the severity of CVE-2020-28872?

CVE-2020-28872 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthorized attackers to create valid administrative credentials in Monitorr v1.7.6m, bypassing authentication entirely. This affects all deployments of Monitorr 1.7.6m that have the vulnerable file accessible. Once credentials are created, attackers gain full administrative access to the monitoring system.

📋 TL;DR

This vulnerability allows unauthorized attackers to create valid administrative credentials in Monitorr v1.7.6m, bypassing authentication entirely. This affects all deployments of Monitorr 1.7.6m that have the vulnerable file accessible. Once credentials are created, attackers gain full administrative access to the monitoring system.

💻 Affected Systems

Products:

Monitorr

Versions: 1.7.6m

Operating Systems: All operating systems running Monitorr

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable file is part of the standard installation and requires no special configuration to be exploitable.

📦 What is this software?

Monitorr by Monitorr

View all CVEs affecting Monitorr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to remote code execution, data theft, and persistent backdoor installation on the server hosting Monitorr.

🟠

Likely Case

Unauthorized administrative access to Monitorr dashboard, allowing attackers to view sensitive monitoring data and potentially upload malicious files.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to the vulnerable endpoint.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and has public exploit code available, making internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to any network-accessible attacker, including compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts are available that automate credential creation and subsequent RCE through file upload functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.7d or later

Vendor Advisory: https://github.com/Monitorr/Monitorr

Restart Required: No

Instructions:

1. Backup current Monitorr installation. 2. Download latest version from official GitHub repository. 3. Replace all files with new version. 4. Verify _register.php file has proper authentication checks.

🔧 Temporary Workarounds

Remove vulnerable file

linux

Delete or restrict access to the vulnerable _register.php file

rm /path/to/Monitorr/assets/config/_installation/_register.php

Web server access restriction

all

Block access to the vulnerable endpoint using web server configuration

# Apache: <Location "/assets/config/_installation/_register.php">
    Require all denied
</Location>
# Nginx: location ~* /assets/config/_installation/_register.php { deny all; }

🧯 If You Can't Patch

Implement strict network access controls to limit Monitorr access to trusted IP addresses only
Deploy web application firewall (WAF) rules to block requests to the vulnerable _register.php endpoint

🔍 How to Verify

Check if Vulnerable:

Check if file exists: /Monitorr/assets/config/_installation/_register.php and examine if it contains proper authentication checks before user registration.

Check Version:

Check Monitorr version in dashboard or examine version.txt file in installation directory.

Verify Fix Applied:

Verify _register.php file either doesn't exist or contains proper authentication checks. Test that unauthorized users cannot create accounts.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /assets/config/_installation/_register.php
Unusual user account creation events
File uploads to Monitorr upload directories from unauthenticated sources

Network Indicators:

POST requests to the vulnerable endpoint from unexpected sources
Subsequent file upload requests following credential creation

SIEM Query:

source="web_server" AND (uri="/assets/config/_installation/_register.php" OR uri="/assets/php/upload.php") AND status=200

📊 Metadata

CVE ID: CVE-2020-28872

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: April 12, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/163263/Monitorr-1.7.6m-Bypass-Information-Disclosure-Shell-Upload.html Exploit,Third Party Advisory,VDB Entry
https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/ Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/48981 Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/163263/Monitorr-1.7.6m-Bypass-Information-Disclosure-Shell-Upload.html Exploit,Third Party Advisory,VDB Entry
https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/ Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/48981 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28872, you might also want to check these: