Critical Vulnerability (CVE-2018-19410) Exposes 600 PRTG Instances in Bangladesh
by CIRT Team
As part of BGD e-GOV CIRT continuous efforts to monitor emerging threats and vulnerabilities that could compromise national security, our Cyber Threat Intelligence Unit has identified 600 vulnerable PRTG instances in Bangladesh affected by CVE-2018-19410—a critical-severity vulnerability. This Local File Inclusion (LFI) and Authentication Bypass flaw is actively exploited by cybercriminals and is listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability, affecting PRTG Network Monitor versions before 18.2.40.1683, allows remote unauthenticated attackers to create users with read-write (admin) privileges, granting them full control over the instance. Exploiting this flaw could lead to unauthorized access, data exfiltration and system manipulation, posing a significant risk to the system’s confidentiality and integrity. Immediate remediation is critical to prevent further exploitation.
Vulnerability Details
- CVE ID: CVE-2018-19410
- CVE Type: Authentication Bypass, Improper Authorization, Local File Inclusion (LFI)
- Severity: 9.8 Critical
- Attack Vector: Remote
- Exploitability: Unauthenticated remote attackers can create users with admin privileges
Affected Software
- Software: PRTG Network Monitor
- Affected Versions: earlier than 18.2.40.1683
Attack Method
- The flaw exists in /public/login.htm, where an attacker can override attributes of the ‘include’ directive.
- Attackers can include /api/addusers in the request, allowing unauthorized user creation with read-write (admin) privileges.
- This leads to authentication bypass, improper authorization, and file inclusion attacks.
Potential Impact
- Complete system compromise by unauthorized attackers.
- Privileged access for malicious users.
- Execution of arbitrary code through unauthorized file inclusion.
- Data theft and operational disruption in affected networks.
Please find the full advisory document in pdf here
Recommended Posts
Subscribe here
MEMBER OF:
