CVE-2018-19410
Published: 21 November 2018
Summary
CVE-2018-19410 is a critical-severity an unspecified weakness vulnerability in Paessler Prtg Network Monitor. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Deeper analysis
PRTG Network Monitor versions prior to 18.2.40.1683 contain a vulnerability that permits remote unauthenticated attackers to create users possessing read-write privileges, including full administrator accounts. The flaw stems from improper handling of the include directive within the /public/login.htm page, which can be manipulated to perform local file inclusion of the /api/addusers endpoint.
An attacker can exploit the issue by sending a crafted HTTP request that overrides the include directive and supplies the id and users parameters to the API endpoint, resulting in immediate creation of a privileged account. No authentication or user interaction is required, and the attack can be carried out over the network with minimal complexity.
Public references from Positive Technologies detail the technical root cause and confirm the affected versions, while CISA lists the CVE in its catalog of known exploited vulnerabilities, underscoring the need to apply the vendor patch that introduced the fixed release.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-11103
Vulnerability details
PRTG Network Monitor before 18.2.40.1683 allows remote unauthenticated attackers to create users with read-write privileges (including administrator). A remote unauthenticated user can craft an HTTP request and override attributes of the 'include' directive in /public/login.htm and perform a Local File…
more
Inclusion attack, by including /api/addusers and executing it. By providing the 'id' and 'users' parameters, an unauthenticated attacker can create a user with read-write privileges (including administrator).
- CWE(s)
- KEV Date Added
- 04 February 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks before allowing any request to /api/addusers, blocking the unauthenticated LFI that creates privileged accounts.
Requires explicit authorization and verification for all account creation operations, preventing the bypass that lets an unauthenticated attacker supply id/users parameters.
Validates HTTP request parameters and include directives so that crafted inputs cannot redirect /public/login.htm to /api/addusers.