CVE-2019-14481
Description
AdRem NetCrunch 10.6.0.4587 has a Cross-Site Request Forgery (CSRF) vulnerability in the NetCrunch web client. Successful exploitation requires a logged-in user to open a malicious page and leads to account takeover.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-Site Request Forgery in AdRem NetCrunch web client allows an attacker to perform unauthorized actions, leading to account takeover, by tricking a logged-in user into visiting a malicious page.
Vulnerability
AdRem NetCrunch 10.6.0.4587 and possibly earlier versions are vulnerable to Cross-Site Request Forgery (CSRF) in the web client. Non-idempotent requests that change data or trigger actions lack CSRF protection, allowing an attacker to forge requests on behalf of an authenticated user. [1]
Exploitation
An attacker must trick a logged-in user into visiting a malicious website or clicking a crafted link. The victim's browser then sends unauthorized requests to the NetCrunch web client, performing actions such as changing account settings. No additional authentication or network position is required beyond the victim's active session. [1]
Impact
Successful exploitation leads to account takeover, as the attacker can modify account credentials or perform administrative actions. The attacker gains full control over the victim's account, potentially compromising the monitoring server and all monitored systems due to stored privileged credentials. [1]
Mitigation
The vulnerability is fixed in AdRem NetCrunch version 11.0.0.5282, where changing the password requires the old password, mitigating CSRF-based account takeover. Users should upgrade to this version or later. No workaround is mentioned; older versions remain vulnerable. The advisory notes that other versions are believed vulnerable. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- AdRem/NetCrunchdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF protection on non-idempotent requests allows an attacker to change the logged-in user's password without requiring the old password."
Attack vector
An attacker crafts a malicious page that sends a forged POST request to the NetCrunch web client's password-change endpoint [ref_id=1]. The victim must be logged into NetCrunch and then visit the attacker's page (or click a prepared link). Because the web client does not require the old password when changing the password, the forged request succeeds and the attacker can set the victim's password to an arbitrary value, achieving account takeover [ref_id=1].
Affected code
The advisory does not specify particular files or functions. The vulnerability exists in the NetCrunch web client's password-change functionality, where non-idempotent requests lack CSRF tokens or other anti-forgery protections [ref_id=1].
What the fix does
The advisory states that version 11.0.0.5282 remediates the issue by requiring the old password to change the password [ref_id=1]. No patch diff is available in the bundle. The fix closes the attack vector by adding a credential confirmation step, so a single forged request from an attacker's page can no longer silently change the victim's password.
Preconditions
- authVictim must be logged into the NetCrunch web client.
- inputVictim must open a malicious page or click a prepared link while authenticated.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- compass-security.com/fileadmin/Research/Advisories/2020-15_CSNC-2019-016_AdRem_NetCrunch_Cross-Site_Request_Forgery_CSRF.txtmitrex_refsource_MISC
- www.adremsoft.com/support/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.