cbcvebase.
CVE-2018-19410
published 2018-11-21

CVE-2018-19410: PRTG Network Monitor before 18.2.40.1683 allows remote unauthenticated attackers to create users with read-write privileges (including administrator). A remote…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-02-25
Exploited in the wild
EPSS
86.46%
99.7th percentile
PRTG Network Monitor before 18.2.40.1683 allows remote unauthenticated attackers to create users with read-write privileges (including administrator). A remote unauthenticated user can craft an HTTP request and override attributes of the 'include' directive in /public/login.htm and perform a Local File Inclusion attack, by including /api/addusers and executing it. By providing the 'id' and 'users' parameters, an unauthenticated attacker can create a user with read-write privileges (including administrator).

Affected

1 ranges
VendorProductVersion rangeFixed in
paesslerprtg_network_monitor< 18.2.40.168318.2.40.1683

Detection & IOCsextracted from sources · hover to see the quote

path/public/login.htm
path/api/addusers
url/public/login.htm?file=/api/addusers.htm
commandid=200&users={{username}}
  • Detect exploitation attempts by monitoring POST requests to /public/login.htm with a 'file' query parameter pointing to /api/addusers.htm, combined with a POST body containing 'id=' and 'users=' parameters.
  • A successful exploitation response will contain the string 'Added 1 users' and 'prtg' in the HTTP response body with a 200 status code.
  • Use Shodan/FOFA queries to identify exposed PRTG instances as potential targets: favicon hash -655683626 or title 'prtg'.
  • The attack requires the X-Requested-With: XMLHttpRequest header; monitor for unauthenticated POST requests to PRTG login endpoints carrying this header alongside LFI path traversal parameters.
  • ·The vulnerability affects PRTG Network Monitor versions before 18.2.40.1683; the fix was shipped in version 18.2.41.1652 released June 2018.
  • ·CISA added this CVE to its Known Exploited Vulnerabilities catalog with a remediation deadline of 2025-02-25, indicating active in-the-wild exploitation, though specific threat actor details have not been disclosed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.