External risk intelligence

ntopng Predictable Session Identifier Vulnerability Allows Session Hijacking

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-38968

ntopng is a network traffic analysis and monitoring tool designed to provide a web-based interface for visualizing network activity. In many deployments, this interface is hosted on a network-accessible server or appliance to allow administrators to monitor traffic, making the web management surface commonly reachable across internal or external network segments.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

ntopng, a network traffic analysis tool, has a vulnerability that could allow unauthorized access to authenticated sessions by predicting session identifiers. This issue, found in the web interface, could potentially enable session hijacking.

  • Predictable session IDs allow hijacking authenticated sessions.
  • It affects network monitoring tools with web interfaces.
  • Confirm relevance and potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted requests over the network to a vulnerable ntopng instance. The attacker can then predict or guess the session identifiers used by the application, allowing them to hijack active user sessions and gain unauthorized access.

  • No authentication required for attack.
  • Predictable session identifiers are generated.
  • Session hijacking and unauthorized access.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, a predictable session identifier vulnerability in ntopng could allow an unauthenticated attacker to hijack active user sessions by guessing session cookies. This could affect the confidentiality and integrity of data accessed through the ntopng web interface.

  • Network traffic data could be compromised.
  • Predictable session IDs can be guessed.
  • Session hijacking could occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in ntopng affects the session identifier generation, potentially leading to session hijacking. Owners of network monitoring infrastructure and the application teams responsible for deploying and maintaining ntopng should prioritize identifying all instances of this software. Confirming reachability and business criticality will inform the risk assessment and remediation planning.

  • Identify all ntopng deployments.
  • Verify network reachability and criticality.
  • Plan remediation with accountable owners.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is ntopng?

ntopng is a network traffic analysis and monitoring tool. It provides a web-based interface that allows administrators to visualize, track, and inspect network activity in real time. It is commonly deployed on servers or dedicated appliances to gain visibility into data flows, bandwidth usage, and overall network health.

What does CWE-341 mean for CVE-2026-38968?

CWE-341 refers to Predictable Session Identifier, a weakness class where an application creates session tokens that are too easy to guess. In this CVE, ntopng uses weak, time-based math to generate session cookies. Because the randomness is insufficient, an attacker can mathematically determine or collide with valid session IDs, effectively bypassing the need for a legitimate password to gain access to an authenticated session.

How can an attacker trigger this vulnerability?

An attacker triggers this by interacting with the ntopng web interface over the network. Because the session identifiers are predictable based on timing, an attacker can send requests to the server to observe or calculate incoming session tokens. Notably, this does not require prior knowledge of a user's credentials or successful authentication, as the flaw lies in the server's process of creating the session cookie itself during the login flow.

Is my ntopng instance at risk?

According to Halo Surface Signal, risk depends on how your ntopng instance is deployed. Because it is a web-based monitoring tool, these interfaces are often placed on network segments that are reachable by many users or external parties. If your ntopng dashboard is accessible from networks beyond just the local administrator workstation, the likelihood that an unauthorized party could reach and interact with the session generation process increases.

What should I do if I run ntopng?

Your first step is to locate all instances of ntopng running in your environment. Once identified, restrict access to the web interface to authorized management networks only to reduce the attack surface. Monitor official project channels for software updates that address the weak session identifier generation. Coordinate with your infrastructure teams to prioritize updating these deployments as part of your maintenance lifecycle.

References