CVE-2020-36969
Published: 28 January 2026
Summary
CVE-2020-36969 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Tildeslash M\/Monit. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2020-36969 is a privilege escalation vulnerability in M/Monit 3.7.4. The flaw allows authenticated users to modify user permissions by manipulating the admin parameter through a POST request to the /api/1/admin/users/update endpoint with a crafted payload, enabling the granting of administrative access to a standard user account. It is classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by any authenticated user with low privileges over the network, requiring low attack complexity and no user interaction. Successful exploitation allows the attacker to elevate their privileges to administrator level on the affected M/Monit instance, resulting in high impacts to confidentiality, integrity, and availability.
Advisories and references, including the vendor site at https://mmonit.com/, VulnCheck at https://www.vulncheck.com/advisories/mmonit-privilege-escalation, and a proof-of-concept exploit at https://www.exploit-db.com/exploits/49080, provide further details on mitigation and patches.
A public proof-of-concept exploit is available, indicating potential for real-world exploitation by authenticated attackers.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30881
Vulnerability details
M/Monit 3.7.4 contains a privilege escalation vulnerability that allows authenticated users to modify user permissions by manipulating the admin parameter. Attackers can send a POST request to the /api/1/admin/users/update endpoint with a crafted payload to grant administrative access to a…
more
standard user account.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation via authorization bypass (CWE-863) allowing low-privileged authenticated users to grant themselves admin rights.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations to prevent authenticated low-privilege users from modifying user permissions via the vulnerable API endpoint.
Applies least privilege to restrict low-privileged authenticated users from accessing or altering administrative user permissions.
Validates API inputs like the manipulable 'admin' parameter to block crafted payloads enabling privilege escalation.