CVE-2021-38137
Description
Corero SecureWatch Managed Services 9.7.2.0020 does not correctly check swa-monitor and cns-monitor user’s privileges, allowing a user to perform actions not belonging to his role.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Corero SecureWatch Managed Services 9.7.2.0020 fails to enforce role-based access control for swa-monitor and cns-monitor users, allowing unauthorized privileged operations and information disclosure.
Vulnerability
Corero SecureWatch Managed Services version 9.7.2.0020 does not correctly enforce role-based authorization for users with the swa-monitor or cns-monitor roles. A swa-monitor user can access privileged API endpoints such as get_snapshot_list, get_snapshot, get_packages, get_settings, and settings, which should be restricted to higher-privilege roles. Similarly, a cns-monitor user can reach the /system/diagnostics endpoint to manage log files [1].
Exploitation
An attacker must first obtain valid credentials for a swa-monitor or cns-monitor account. With network access to the SecureWatch Management interface on the target host (typically port 8000), the attacker can make HTTP requests to the vulnerable API endpoints. The reference demonstrates logging in with a swa-monitor account and then retrieving the list of available snapshots via https://$host:8000/it-IT/splunkd/__raw/services/get_snapshot_list [1]. No additional authentication bypass or user interaction is required beyond possessing the low-privilege credentials.
Impact
Successful exploitation allows an attacker with a low-privilege swa-monitor role to download sensitive system snapshots, view installed packages and versions, and read network and Splunk configuration details. A cns-monitor user can manage log files. These actions disclose confidential operational information and system internals, violating confidentiality and potentially aiding further attacks. The attacker does not gain administrative privileges but can access data intended for more trusted roles [1].
Mitigation
Corero has addressed the issue in SecureWatch Managed Services version 9.7.5 or later. Users should upgrade to at least version 9.7.5 as soon as possible. If immediate upgrade is not feasible, restrict network access to the management interface and monitor for unauthorized API calls. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Corero/SecureWatch Managed Servicesdescription
- Range: = 9.7.2.0020
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing access-control checks allow users with "swa-monitor" or "cns-monitor" roles to invoke privileged HTTP API endpoints outside the scope of their role."
Attack vector
An attacker who has obtained credentials for a low-privileged "swa-monitor" or "cns-monitor" account can call HTTP API endpoints that should be restricted to higher-privileged roles [ref_id=1]. For example, a "swa-monitor" user can request `https://$host:8000/it-IT/splunkd/__raw/services/get_snapshot_list` to retrieve the list of available snapshots, or access other endpoints to download snapshots, list installed packages, and read network or Splunk configuration [ref_id=1]. A "cns-monitor" user can reach `/system/diagnostics` to manage log files [ref_id=1]. No authentication bypass is required beyond possessing a valid account with one of these monitor roles.
Affected code
The advisory identifies HTTP API endpoints that are accessible to users with the "swa-monitor" role, including `get_snapshot_list`, `get_snapshot`, `get_packages`, `get_settings`, and `settings`. Additionally, users with the "cns-monitor" role can reach the `/system/diagnostics` endpoint [ref_id=1]. No patch files are provided in the bundle.
What the fix does
The advisory states that the vendor fixed the vulnerability with the release of Corero SecureWatch Managed Services version 9.7.5 [ref_id=1]. No patch diff is available in the bundle, so the exact code changes are unknown. The remediation guidance is to upgrade to version 9.7.5 or later [ref_id=1].
Preconditions
- authAttacker must possess valid credentials for a user account assigned the 'swa-monitor' or 'cns-monitor' role.
- configThe target host must be running Corero SecureWatch Managed Services 9.7.2.0020.
- networkThe attacker must have network access to the HTTP API endpoints on the target host (typically port 8000).
Reproduction
Login with a user of role "swa-monitor". Request the snapshots list: `https://$host:8000/it-IT/splunkd/__raw/services/get_snapshot_list`. Observe the response containing the list of available snapshots [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.corero.com/blog/data-sheets-corero-securewatch-managed-services/mitrex_refsource_MISC
- www.shielder.it/advisories/corero_secure_watch_managed_services-multiple-broken-access-control/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.