CVE-2020-36968 Overview
CVE-2020-36968 is an authentication vulnerability in M/Monit version 3.7.4 that allows authenticated attackers to retrieve user password hashes through administrative API endpoints. By sending requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints, attackers can extract MD5 password hashes for all users in the system.
This vulnerability is classified as CWE-522 (Insufficiently Protected Credentials), which occurs when a product transmits or stores authentication credentials in a manner that makes them subject to unauthorized interception or retrieval.
Critical Impact
Authenticated attackers can harvest MD5 password hashes for all system users, enabling offline password cracking and potential account takeover across the entire M/Monit deployment.
Affected Products
- M/Monit 3.7.4
Discovery Timeline
- 2026-01-28 - CVE CVE-2020-36968 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2020-36968
Vulnerability Analysis
This vulnerability represents a significant credential exposure issue in M/Monit's administrative API. The flaw stems from inadequate access controls on sensitive API endpoints that return user credential data. When an authenticated user with any privilege level accesses the /api/1/admin/users/list or /api/1/admin/users/get endpoints, the application returns user records including their MD5 password hashes.
The use of MD5 for password hashing compounds the severity of this issue. MD5 is considered cryptographically broken and is highly susceptible to rainbow table attacks and modern GPU-accelerated cracking techniques. An attacker who obtains these hashes can potentially recover plaintext passwords in a matter of minutes to hours depending on password complexity.
The network-accessible nature of this vulnerability means that any authenticated user on the network can exploit it without requiring additional privileges or user interaction.
Root Cause
The root cause of CVE-2020-36968 is the insufficient protection of credentials (CWE-522) combined with inadequate authorization checks on administrative API endpoints. The application fails to properly restrict access to sensitive user data, allowing any authenticated user to retrieve password hashes that should only be accessible to administrative functions. Additionally, the use of weak MD5 hashing for password storage exacerbates the impact, as recovered hashes can be easily cracked offline.
Attack Vector
The attack vector for this vulnerability is network-based and requires low-privilege authenticated access. An attacker must first authenticate to the M/Monit application with any valid credentials. Once authenticated, the attacker can directly request user information from the administrative API endpoints.
The attack flow involves making HTTP requests to /api/1/admin/users/list to enumerate all users, then optionally using /api/1/admin/users/get to retrieve detailed information including MD5 password hashes for specific users. These hashes can then be subjected to offline cracking attacks using tools like Hashcat or John the Ripper.
For technical exploitation details, refer to the Exploit-DB #49081 entry and the VulnCheck Advisory for Mmonit.
Detection Methods for CVE-2020-36968
Indicators of Compromise
- Unusual or frequent requests to /api/1/admin/users/list or /api/1/admin/users/get endpoints from non-administrative accounts
- Multiple API requests enumerating user accounts in rapid succession
- Access to administrative API endpoints from unexpected IP addresses or user agents
- Evidence of offline password cracking attempts or credential stuffing attacks following API access
Detection Strategies
- Monitor web server access logs for requests to the vulnerable API endpoints (/api/1/admin/users/list and /api/1/admin/users/get)
- Implement alerting for non-administrator accounts accessing administrative API routes
- Deploy web application firewall (WAF) rules to detect and block suspicious API enumeration patterns
- Review authentication logs for unusual login patterns that may indicate compromised credentials
Monitoring Recommendations
- Enable verbose logging for all M/Monit API endpoints and retain logs for forensic analysis
- Configure SIEM rules to correlate API access patterns with user privilege levels
- Implement rate limiting on administrative API endpoints to slow enumeration attempts
- Regularly audit user access patterns and investigate anomalous administrative API usage
How to Mitigate CVE-2020-36968
Immediate Actions Required
- Upgrade M/Monit to the latest available version that addresses this vulnerability
- Restrict network access to M/Monit administrative interfaces using firewall rules or network segmentation
- Force password resets for all users, assuming existing password hashes may have been compromised
- Implement strong, unique passwords for all M/Monit accounts to mitigate offline cracking risks
Patch Information
Consult the M/Monit official site for the latest security updates and patched versions. Review the VulnCheck Advisory for Mmonit for specific remediation guidance.
Workarounds
- Implement network-level access controls to restrict access to M/Monit to trusted IP addresses only
- Use a reverse proxy with authentication to add an additional security layer before M/Monit
- Disable or restrict access to the /api/1/admin/users/list and /api/1/admin/users/get endpoints if not operationally required
- Monitor and audit all API access until a patch can be applied
# Example: Restrict M/Monit access using iptables
# Allow only trusted management network
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
