{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3antopntopng/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:ntop:ntopng:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-38968"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ntopng through 6.6"],"_cs_severities":["high"],"_cs_tags":["session-hijacking","vulnerability","ntopng","network-monitoring"],"_cs_type":"threat","_cs_vendors":["ntop"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-38968, has been identified in ntopng versions through 6.6, allowing for predictable session identifiers and subsequent session hijacking. The flaw resides in \u003ccode\u003esrc/HTTPserver.cpp\u003c/code\u003e, where the HTTP session creation process relies on weak time-seeded pseudo-randomness to generate session cookies. This implementation weakness can result in deterministic or colliding session cookies, especially under specific timing conditions or attacker influence. For defenders, this vulnerability is significant as it permits an attacker to impersonate legitimate, authenticated users, potentially leading to unauthorized access to sensitive network monitoring data, configuration changes, or further lateral movement within an environment. No specific threat actor or active exploitation campaign has been publicly reported at the time of disclosure, but the nature of the vulnerability makes it highly attractive for attackers targeting network infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker targets a vulnerable ntopng instance (version 6.6 or earlier) and prepares to observe or predict session ID generation.\u003c/li\u003e\n\u003cli\u003eA legitimate user authenticates to the ntopng web interface, triggering the creation of a new HTTP session by the vulnerable server.\u003c/li\u003e\n\u003cli\u003eThe ntopng server, specifically the code in \u003ccode\u003esrc/HTTPserver.cpp\u003c/code\u003e, uses weak time-seeded pseudo-randomness to generate a session cookie for the legitimate user.\u003c/li\u003e\n\u003cli\u003eDue to the predictability of the session identifier generation, the attacker can either predict a valid session ID or observe enough session generation patterns to create a collision.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request, including a predicted or colliding session cookie, and sends it to the ntopng server.\u003c/li\u003e\n\u003cli\u003eThe ntopng server validates the attacker's session cookie as legitimate, thereby granting the attacker unauthorized access to the application with the privileges of the hijacked user.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform actions on behalf of the legitimate user, such as viewing network statistics, modifying configurations, or creating new users, without proper authentication.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-38968 results in unauthorized access to the ntopng web interface. Attackers can hijack legitimate user sessions, gaining the same level of access and control as the compromised user. Depending on the privileges of the hijacked account, this could lead to sensitive network data exfiltration, unauthorized modification of network monitoring configurations, or disruption of network visibility. If an administrative user session is compromised, the attacker could take full control of the ntopng instance, potentially impacting network security and operational integrity. No specific victim counts or targeted sectors have been disclosed in connection with this vulnerability, but any organization using vulnerable ntopng versions is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update ntopng installations to a patched version beyond 6.6 to remediate CVE-2026-38968.\u003c/li\u003e\n\u003cli\u003eImplement strong session management practices and consider adding a Web Application Firewall (WAF) to detect and block abnormal session cookie patterns that could indicate exploitation attempts against CVE-2026-38968.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive logging for web server access and application-level events on ntopng servers, then review logs for unusual authentication attempts or session activities potentially linked to CVE-2026-38968.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T07:44:17Z","date_published":"2026-07-09T07:44:17Z","id":"https://feed.craftedsignal.io/briefs/2026-07-ntopng-predictable-session-id/","summary":"CVE-2026-38968 affects ntopng versions up to 6.6, enabling session hijacking through predictable session identifiers generated with weak time-seeded pseudo-randomness in `src/HTTPserver.cpp`, allowing attackers to gain unauthorized access to legitimate user sessions.","title":"CVE-2026-38968: ntopng Predictable Session Identifier Vulnerability Leading to Session Hijacking","url":"https://feed.craftedsignal.io/briefs/2026-07-ntopng-predictable-session-id/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:a:ntop:ntopng:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}