cbcvebase.
CVE-2018-9276
published 2018-07-02

CVE-2018-9276: An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administrator web console with administrative…

PriorityP185high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-02-25
Exploited in the wild
EPSS
87.17%
99.7th percentile
An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administrator web console with administrative privileges can exploit an OS command injection vulnerability (both on the server and on devices) by sending malformed parameters in sensor or notification management scenarios.

Affected

2 ranges
VendorProductVersion rangeFixed in
paesslerprtg_network_monitor< 18.2.3918.2.39
paesslerprtg_network_monitor< 21.2.6821.2.68

Detection & IOCsextracted from sources · hover to see the quote

url/editsettings
url/api/notificationtest.htm
snort
alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Paessler PRTG Notification Command Injection Attempt (CVE-2018-9276)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/editsettings"; http.header; content:"X-Requested-With|3a 20|XMLHttpRequest"; http.request_body; content:"message_10|3d|"; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2018-9276; reference:url,github.com/A1vinSmith/CVE-2018-9276/tree/main; classtype:attempted-admin; sid:2060348; rev:1; metadata:affected_product Paessler_PRTG, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_02_24, cve CVE_2018_9276, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_02_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit POST requests target the /editsettings endpoint with the HTTP header 'X-Requested-With: XMLHttpRequest' and a body containing the 'message_10=' parameter with injected shell metacharacters (semicolon, newline, backtick, pipe, dollar sign).
  • Exploitation involves creating a malicious notification via /editsettings and then triggering it via repeated POST requests to /api/notificationtest.htm with incrementing id values (e.g., id=200 through id=250).
  • The exploit abuses the 'Execute Program' notification type, specifically the 'Demo EXE Notification - OutFile.ps1' script name field, to inject OS commands via the message parameter.
  • Default credentials prtgadmin/prtgadmin should be monitored for successful authentication attempts against the PRTG web console, as the exploit requires authenticated access.
  • Monitor for creation of new local user accounts (e.g., 'pentest') and addition to the local administrators group immediately following PRTG notification activity, as these are canonical post-exploitation actions.
  • ·Exploitation requires the attacker to already hold administrative credentials to the PRTG web console; this is not an unauthenticated vulnerability.
  • ·The Snort/Suricata rule (ET sid:2060348) is marked 'tls_state plaintext', meaning it will not detect exploitation over HTTPS/TLS-encrypted PRTG deployments.
  • ·Notification IDs used during triggering start around 200 and may vary; the exploit iterates id=200 through id=250 but the actual ID may differ per installation.
  • ·The vulnerability is fixed in PRTG version 18.2.39 and fully addressed in 18.2.41.1652 (released June 2018); detection efforts should focus on unpatched instances.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.