CVE-2018-19410
published 2018-11-21CVE-2018-19410: PRTG Network Monitor before 18.2.40.1683 allows remote unauthenticated attackers to create users with read-write privileges (including administrator). A remote…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-02-25
Exploited in the wild
EPSS
86.46%
99.7th percentile
PRTG Network Monitor before 18.2.40.1683 allows remote unauthenticated attackers to create users with read-write privileges (including administrator). A remote unauthenticated user can craft an HTTP request and override attributes of the 'include' directive in /public/login.htm and perform a Local File Inclusion attack, by including /api/addusers and executing it. By providing the 'id' and 'users' parameters, an unauthenticated attacker can create a user with read-write privileges (including administrator).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| paessler | prtg_network_monitor | < 18.2.40.1683 | 18.2.40.1683 |
Detection & IOCsextracted from sources · hover to see the quote
url/public/login.htm?file=/api/addusers.htm
commandid=200&users={{username}}
- →Detect exploitation attempts by monitoring POST requests to /public/login.htm with a 'file' query parameter pointing to /api/addusers.htm, combined with a POST body containing 'id=' and 'users=' parameters.
- →A successful exploitation response will contain the string 'Added 1 users' and 'prtg' in the HTTP response body with a 200 status code.
- →Use Shodan/FOFA queries to identify exposed PRTG instances as potential targets: favicon hash -655683626 or title 'prtg'.
- →The attack requires the X-Requested-With: XMLHttpRequest header; monitor for unauthenticated POST requests to PRTG login endpoints carrying this header alongside LFI path traversal parameters.
- ·The vulnerability affects PRTG Network Monitor versions before 18.2.40.1683; the fix was shipped in version 18.2.41.1652 released June 2018. ↗
- ·CISA added this CVE to its Known Exploited Vulnerabilities catalog with a remediation deadline of 2025-02-25, indicating active in-the-wild exploitation, though specific threat actor details have not been disclosed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Paessler PRTG Network Monitor Local File Inclusion Vulnerability
cisa·2025-02-04·CVSS 9.8
CVE-2018-19410 [CRITICAL] Paessler PRTG Network Monitor Local File Inclusion Vulnerability
Vulnerability: Paessler PRTG Network Monitor Local File Inclusion Vulnerability
Affected: Paessler PRTG Network Monitor
Paessler PRTG Network Monitor contains a local file inclusion vulnerability that allows a remote, unauthenticated attacker to create users with read-write privileges (including administrator).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.paessler.com/prtg/history/prtg-18#18.2.41.1652 ; https://nvd.nist.gov/vuln/detail/CVE-2018-19410
Remediation Due Date: 2025-02-25
GHSA
GHSA-pm93-g4gf-j42f: PRTG Network Monitor before 18
ghsa_unreviewed·2022-05-13
CVE-2018-19410 [CRITICAL] GHSA-pm93-g4gf-j42f: PRTG Network Monitor before 18
PRTG Network Monitor before 18.2.40.1683 allows remote unauthenticated attackers to create users with read-write privileges (including administrator). A remote unauthenticated user can craft an HTTP request and override attributes of the 'include' directive in /public/login.htm and perform a Local File Inclusion attack, by including /api/addusers and executing it. By providing the 'id' and 'users' parameters, an unauthenticated attacker can create a user with read-write privileges (including administrator).
VulnCheck
Paessler PRTG Network Monitor Local File Inclusion Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-19410 [CRITICAL] Paessler PRTG Network Monitor Local File Inclusion Vulnerability
Paessler PRTG Network Monitor Local File Inclusion Vulnerability
Paessler PRTG Network Monitor contains a local file inclusion vulnerability that allows a remote, unauthenticated attacker to create users with read-write privileges (including administrator).
Affected: Paessler PRTG Network Monitor
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.fortiguard.com/encyclopedia/ips/57265; https://app.crowdsec.net/cti/cve-explorer/CVE-2018-19410; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-11-26&host_type=src&vulnerability=cve-2018-19410; https://dashboard.sha
No detection rules found.
Nuclei
PRTG Network Monitor - Local File Inclusion
nuclei·CVSS 9.8
CVE-2018-19410 [CRITICAL] PRTG Network Monitor - Local File Inclusion
PRTG Network Monitor - Local File Inclusion
PRTG Network Monitor before 18.2.40.1683 allows remote unauthenticated attackers to create users with read-write privileges (including administrator). A remote unauthenticated user can craft an HTTP request and override attributes of the 'include' directive in /public/login.htm and perform a Local File Inclusion attack, by including /api/addusers and executing it. By providing the 'id' and 'users' parameters, an unauthenticated attacker can create a user with read-write privileges (including administrator).
Template:
id: CVE-2018-19410
info:
name: PRTG Network Monitor - Local File Inclusion
author: DhiyaneshDK
severity: critical
description: |
PRTG Network Monitor before 18.2.40.1683 allows remote unauthenticated attackers to create users wit
2018-11-21
Published
2025-02-04
Added to CISA KEV
Exploited in the wild