CVE-2023-31452
📋 TL;DR
A CSRF token bypass vulnerability in PRTG Network Monitor versions 23.2.84.1566 and earlier allows attackers to trick authenticated users into performing unauthorized actions. This could lead to account creation, configuration changes, or other administrative functions. All PRTG installations running affected versions are vulnerable if accessible via web interface.
💻 Affected Systems
- Paessler PRTG Network Monitor
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could create new administrative accounts, modify monitoring configurations, disable alerts, or potentially execute arbitrary code with system privileges.
Likely Case
Attackers create backdoor accounts, modify sensor configurations to hide malicious activity, or disrupt monitoring operations.
If Mitigated
With proper network segmentation and access controls, impact limited to monitoring system availability and integrity.
🎯 Exploit Status
Exploitation requires victim to have active session and visit malicious page. CSRF attacks are well-understood and easily weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.3.86.1520 and later
Vendor Advisory: https://kb.paessler.com/en/topic/91845-multiple-vulnerabilites-fixed-in-paessler-prtg-network-monitor-23-3-86-1520
Restart Required: Yes
Instructions:
1. Backup PRTG configuration. 2. Download PRTG 23.3.86.1520 or later from Paessler website. 3. Run installer as administrator. 4. Follow upgrade wizard. 5. Restart PRTG services.
🔧 Temporary Workarounds
CSRF Protection Headers
windowsAdd SameSite and other CSRF protection headers via web server configuration
# Configure in IIS or Apache for PRTG web interface
Network Segmentation
allRestrict PRTG web interface access to trusted networks only
# Configure firewall rules to limit PRTG port access (default 80/443)
🧯 If You Can't Patch
- Implement strict network access controls to limit PRTG web interface to trusted administrative networks only
- Require multi-factor authentication for all PRTG administrative accounts and implement session timeout policies
🔍 How to Verify
Check if Vulnerable:
Check PRTG version in web interface (Setup → System Administration → Version Information) or via PRTG APICheck Version:
powershell -Command "(Get-ItemProperty 'HKLM:\SOFTWARE\Paessler\PRTG Network Monitor').Version"Verify Fix Applied:
Confirm version is 23.3.86.1520 or later in System Administration → Version Information📡 Detection & Monitoring
Log Indicators:
- Unexpected user creation events
- Configuration changes from unusual IPs
- Multiple failed login attempts followed by successful admin actions
Network Indicators:
- HTTP POST requests to PRTG with missing or invalid CSRF tokens
- Requests from non-admin networks to administrative endpoints
SIEM Query:
source="PRTG" AND (event_type="user_created" OR event_type="config_change") AND src_ip NOT IN [admin_networks]🔗 References
- https://kb.paessler.com/en/topic/91845-multiple-vulnerabilites-fixed-in-paessler-prtg-network-monitor-23-3-86-1520
- https://www.paessler.com/prtg/history/prtg-23#23.3.86.1520
- https://www.paessler.com/prtg/history/stable
- https://kb.paessler.com/en/topic/91845-multiple-vulnerabilites-fixed-in-paessler-prtg-network-monitor-23-3-86-1520
- https://www.paessler.com/prtg/history/prtg-23#23.3.86.1520
- https://www.paessler.com/prtg/history/stable
