Security Research & Advisories

Remote Command Execution Vulnerabilities in NetGain EM

Product NetGain EM FreeEdition
Affected Version(s) v10.0.9b51 and prior
Tested Version(s) v10.0.9b51
Vendor Notification May 02, 2018
Advisory Publication April 30, 2018 [without technical details]
Vendor Fix v10.0.57
Public Disclosure October 19, 2018
Latest Modification April 30, 2018
CVE Identifier(s)
Product Description NetGain is an IT monitoring software. It provides one of the most comprehensive monitoring scope in the industry. Launched in 2002, NetGain Systems is a pioneer in the IT monitoring and protection business and has established teams in Singapore, China, Indonesia, Thailand, Malaysia and Australia.
Credits Enrico Winata, Security Researcher & Penetration Tester @wizlynx group - Tan Peng Fei Eddie, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Remote Command Execution
Severity: Critical CVSS Score: 9.1 CWE-ID: CWE-78 Status: Not Fixed
Vulnerability Description
The web application running on NetGain EM is affected by operating system command injection vulnerabilities affecting version 10.0.9 and probably prior versions. An attacker can use shell metacharacters to modify the command that is executed and inject arbitrary further commands that will be executed by the server. This vulnerability may lead to compromise of the server hosting the application, or of the application's own data and functionality. It may also be possible to use the server as a platform for attacks against other systems.
CVSS Base Score
Attack Vector Network Scope Changed
Attack Complexity Low Confidentiality Impact High
Privileges Required High Integrity Impact High
User Interaction None Availability Impact High


Full details about the vulnerability will be disclosed once the vendor has provided a patch.