Cyber Resilience

CVE-2018-19410

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 21 November 2018

Published
21 November 2018
Modified
07 November 2025
KEV Added
04 February 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9300 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-19410 is a critical-severity an unspecified weakness vulnerability in Paessler Prtg Network Monitor. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

PRTG Network Monitor versions prior to 18.2.40.1683 contain a vulnerability that permits remote unauthenticated attackers to create users possessing read-write privileges, including full administrator accounts. The flaw stems from improper handling of the include directive within the /public/login.htm page, which can be manipulated to perform local file inclusion of the /api/addusers endpoint.

An attacker can exploit the issue by sending a crafted HTTP request that overrides the include directive and supplies the id and users parameters to the API endpoint, resulting in immediate creation of a privileged account. No authentication or user interaction is required, and the attack can be carried out over the network with minimal complexity.

Public references from Positive Technologies detail the technical root cause and confirm the affected versions, while CISA lists the CVE in its catalog of known exploited vulnerabilities, underscoring the need to apply the vendor patch that introduced the fixed release.

EU & UK References

Vulnerability details

PRTG Network Monitor before 18.2.40.1683 allows remote unauthenticated attackers to create users with read-write privileges (including administrator). A remote unauthenticated user can craft an HTTP request and override attributes of the 'include' directive in /public/login.htm and perform a Local File…

more

Inclusion attack, by including /api/addusers and executing it. By providing the 'id' and 'users' parameters, an unauthenticated attacker can create a user with read-write privileges (including administrator).

CWE(s)
KEV Date Added
04 February 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

paessler
prtg network monitor
≤ 18.2.40.1683

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks before allowing any request to /api/addusers, blocking the unauthenticated LFI that creates privileged accounts.

prevent

Requires explicit authorization and verification for all account creation operations, preventing the bypass that lets an unauthenticated attacker supply id/users parameters.

prevent

Validates HTTP request parameters and include directives so that crafted inputs cannot redirect /public/login.htm to /api/addusers.

References