PRTG Network Monitor in versions 18.2.39.1661 and earlier is vulnerable to unauthenticated remote user creation due to inadequate authorization checks and Local File Inclusion (LFI). Attackers can exploit this flaw to generate users with elevated privileges, including administrators, without authentication. Currently, this vulnerability is actively exploited.
| Product | PRTG-Network-Monitor |
| Date | 2025-02-07 15:35:32 |
| Information |
|
Technical Summary
The vulnerability exists in the /public/login.htm file, which allows unauthorized file inclusion via the include directive. Attackers can manipulate this directive to include the /api/addusers.htm file, which allows them to create new users with read-write and administrative privileges. Since this vulnerability affects authentication mechanisms, exploitation can lead to a complete compromise of the monitoring system, allowing attackers to manipulate network configurations, disable alerts, or move laterally within an environment.
A publicly available proof-of-concept (PoC) exploit demonstrates how an attacker can create a malicious request to add a new user without the need for authentication. Given the severity of the flaw and its active exploitation, organizations using vulnerable versions of PRTG Network Monitor should take immediate corrective measures.
Recommendations
To mitigate this vulnerability, users should:
- Update to the latest version of PRTG Network Monitor that resolves this issue.
- Restrict external access to the web interface to trusted IP ranges.
- Monitor network logs for unauthorized user creation attempts.
- Apply Web Application Firewall (WAF) rules to block malicious requests that exploit this flaw.
References
[Callforaction-THREAT-Footer]
