Authentication Bypass and Local File Inclusion in PRTG Network Monitor (CVE-2018-19410)

ISGroup Cybersecurity

PRTG Network Monitor in versions 18.2.39.1661 and earlier is vulnerable to unauthenticated remote user creation due to inadequate authorization checks and Local File Inclusion (LFI). Attackers can exploit this flaw to generate users with elevated privileges, including administrators, without authentication. Currently, this vulnerability is actively exploited.

ProductPRTG-Network-Monitor
Date2025-02-07 15:35:32
Information
  • Fix Available
  • Active Exploitation

Technical Summary

The vulnerability exists in the /public/login.htm file, which allows unauthorized file inclusion via the include directive. Attackers can manipulate this directive to include the /api/addusers.htm file, which allows them to create new users with read-write and administrative privileges. Since this vulnerability affects authentication mechanisms, exploitation can lead to a complete compromise of the monitoring system, allowing attackers to manipulate network configurations, disable alerts, or move laterally within an environment.

A publicly available proof-of-concept (PoC) exploit demonstrates how an attacker can create a malicious request to add a new user without the need for authentication. Given the severity of the flaw and its active exploitation, organizations using vulnerable versions of PRTG Network Monitor should take immediate corrective measures.

Recommendations

To mitigate this vulnerability, users should:

  • Update to the latest version of PRTG Network Monitor that resolves this issue.
  • Restrict external access to the web interface to trusted IP ranges.
  • Monitor network logs for unauthorized user creation attempts.
  • Apply Web Application Firewall (WAF) rules to block malicious requests that exploit this flaw.

References

[Callforaction-THREAT-Footer]