CVE-2019-11074

moderate-risk
Published 2020-03-17

A Write to Arbitrary Location in Disk vulnerability exists in PRTG Network Monitor 19.1.49 and below that allows attackers to place files in arbitrary locations with SYSTEM privileges (although not controlling the contents of such files) due to insufficient sanitisation when passing arguments to the phantomjs.exe binary. In order to exploit the vulnerability, remote authenticated administrators need to create a new HTTP Full Web Page Sensor and set specific settings when executing the sensor.

Do I need to act?

~
3.7% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.2/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Paessler

References (6)

Release Notes https://how2itsec.blogspot.com/2019/10/security-fixes-in-prtg-1935152.html
Exploit https://sensepost.com/blog/2019/being-stubborn-pays-off-pt.-1-cve-2018-19204/
Release Notes https://www.paessler.com/prtg/history/stable
Release Notes https://how2itsec.blogspot.com/2019/10/security-fixes-in-prtg-1935152.html
Exploit https://sensepost.com/blog/2019/being-stubborn-pays-off-pt.-1-cve-2018-19204/
Release Notes https://www.paessler.com/prtg/history/stable
38
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 7/34 · Low
Exposure 5/34 · Minimal