CVE-2014-6607

M/Monit <3.3.2 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-6607. PoCs published by Dolev Farhi.

AI-analyzed exploit summary This is a CSRF exploit for M/Monit that allows an attacker to reset the password of any user account, including the admin, without knowing the current password. The PoC is a simple HTML form that submits a POST request to the vulnerable endpoint.

Description

M/Monit 3.3.2 and earlier does not verify the original password before changing passwords, which allows remote attackers to change the password of other users and gain privileges via the fullname and password parameters, a different vulnerability than CVE-2014-6409.

Exploits (1)

exploitdb WORKING POC

by Dolev Farhi · textwebappsphp

https://www.exploit-db.com/exploits/34718

View Code ZIP pw:eip

This is a CSRF exploit for M/Monit that allows an attacker to reset the password of any user account, including the admin, without knowing the current password. The PoC is a simple HTML form that submits a POST request to the vulnerable endpoint.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: M/Monit <= 3.2.2

No auth needed

Prerequisites: Victim must be authenticated and visit the malicious HTML page

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2014/Sep/71

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/34718

Exploit x_refsource_misc

http://packetstormsecurity.com/files/128321/M-Monit-3.2.2-Cross-Site-Request-Forgery.html

Scores

EPSS 0.0665

EPSS Percentile 93.0%

Details

CWE

CWE-255

Status published

Products (1)

mmonit/m\/monit < 3.3.2

Published Oct 06, 2014

Tracked Since Feb 18, 2026