Primary

Context

M/Monit Password Hash Disclosure Vulnerability

Vulnerability

An authentication vulnerability in M/Monit version 3.7.4 allows authenticated attackers to access user password hashes via an administrative API. Exploitation involves sending requests to the '/api/1/admin/users/list' and '/api/1/admin/users/get' endpoints, which return MD5 password hashes for all users.

Impact

Successful exploitation leads to unauthorized access to user password hashes, which could be used for further attacks, such as password cracking or unauthorized account access.

Reproduction

To reproduce this vulnerability, log into the application with valid credentials. Once authenticated, send a request to the '/api/1/admin/users/list' endpoint to retrieve a list of users. For each user, send a request to the '/api/1/admin/users/get' endpoint, including the username as a parameter, to obtain the corresponding MD5 password hash.

Added: Jan 28, 2026, 6:41 PM

Updated: Jan 28, 2026, 6:41 PM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

6.2

remediation

0.0

relevance

2.3

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

6.2

remediation

0.0

relevance

2.3

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

M/Monit Password Hash Disclosure Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

M/Monit

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating