What happened

CISA added CVE-2018-19410 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-02-04, signaling confirmed exploitation in the wild CISA KEV. The affected product is Paessler PRTG Network Monitor NVD entry. The vulnerability is a Local File Inclusion (LFI) class issue MITRE CVE, and it enables a remote, unauthenticated attacker to create users with read‑write privileges, including administrator CISA KEV. CISA’s entry sets a remediation due date of 2025-02-25 and directs organizations to apply vendor mitigations or discontinue use if mitigations are unavailable CISA KEV.

Why it matters

When a flaw lets an unauthenticated actor create read‑write or administrator accounts, it provides full control within the affected application’s domain CISA KEV. CISA’s KEV catalog is reserved for vulnerabilities with evidence of exploitation, which elevates this from a theoretical risk to an operational one requiring urgent action CISA KEV. The CVE record confirms the issue targets Paessler PRTG Network Monitor and is categorized as an LFI, a class often abused to traverse or include local resources over a network request surface NVD entry.

For federal civilian agencies, KEV listing drives mandated remediation under the catalog’s policy framework and timelines CISA KEV. Even outside federal mandates, the KEV designation is a practical indicator of active adversary interest and working exploit paths CISA KEV.

Technical detail

The vulnerability tracked as CVE-2018-19410 is a Local File Inclusion flaw in Paessler PRTG Network Monitor NVD entry. According to the KEV entry, exploitation does not require authentication and can be performed remotely CISA KEV. Successful exploitation allows the attacker to create new users with read‑write permissions, explicitly including administrative accounts CISA KEV.

The CVE is registered and maintained in the authoritative CVE corpus, confirming coordination and public tracking under the assigned identifier MITRE CVE. NVD’s record ties the flaw to PRTG Network Monitor and classifies it within the LFI family, which is consistent with the KEV summary NVD entry. KEV inclusion on 2025-02-04 indicates exploitation has been observed by defenders or partners contributing to the catalog, and that the issue warrants time-bound remediation CISA KEV.

Defense

• Execute the KEV-required action: apply vendor mitigations immediately or discontinue use of affected PRTG instances if mitigations are not available CISA KEV.
• Treat all internet-exposed or partner-accessible PRTG endpoints as high risk until verified remediated NVD entry.
• Restrict network access to PRTG to administrative segments, and place it behind strong authentication proxies where feasible MITRE CVE.
• Monitor for creation of new read‑write or administrative users on PRTG and investigate any out-of-band account provisioning attempts CISA KEV.
• Validate integrity of PRTG configuration and credentials after remediation, given the documented risk of unauthorized user creation NVD entry.

If patching or vendor guidance is delayed, implement compensating controls: minimize exposure, enforce strict ACLs around PRTG, and continuously audit for unauthorized account lifecycle events CISA KEV.

Lyrie Verdict

Adversaries automate against KEV-listed management-plane targets because they deliver outsized access with minimal effort CISA KEV. Lyrie instruments the control-layer signals around PRTG-like services to catch machine-speed exploitation: sudden creation of read‑write/admin accounts, configuration mutations, and anomalous unauthenticated request patterns mapped to LFI-class abuse NVD entry. We don’t wait for human review cycles; our autonomous detectors elevate and interdict these sequences in real time, correlating KEV intelligence with live telemetry to suppress rogue automation before it cements persistence MITRE CVE.