CVE-2018-9276
published 2018-07-02CVE-2018-9276: An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administrator web console with administrative…
PriorityP185high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-02-25
Exploited in the wild
EPSS
87.17%
99.7th percentile
An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administrator web console with administrative privileges can exploit an OS command injection vulnerability (both on the server and on devices) by sending malformed parameters in sensor or notification management scenarios.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| paessler | prtg_network_monitor | < 18.2.39 | 18.2.39 |
| paessler | prtg_network_monitor | < 21.2.68 | 21.2.68 |
Detection & IOCsextracted from sources · hover to see the quote
url/editsettings
snort
alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Paessler PRTG Notification Command Injection Attempt (CVE-2018-9276)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/editsettings"; http.header; content:"X-Requested-With|3a 20|XMLHttpRequest"; http.request_body; content:"message_10|3d|"; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2018-9276; reference:url,github.com/A1vinSmith/CVE-2018-9276/tree/main; classtype:attempted-admin; sid:2060348; rev:1; metadata:affected_product Paessler_PRTG, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_02_24, cve CVE_2018_9276, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_02_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit POST requests target the /editsettings endpoint with the HTTP header 'X-Requested-With: XMLHttpRequest' and a body containing the 'message_10=' parameter with injected shell metacharacters (semicolon, newline, backtick, pipe, dollar sign).
- →Exploitation involves creating a malicious notification via /editsettings and then triggering it via repeated POST requests to /api/notificationtest.htm with incrementing id values (e.g., id=200 through id=250). ↗
- →The exploit abuses the 'Execute Program' notification type, specifically the 'Demo EXE Notification - OutFile.ps1' script name field, to inject OS commands via the message parameter. ↗
- →Default credentials prtgadmin/prtgadmin should be monitored for successful authentication attempts against the PRTG web console, as the exploit requires authenticated access. ↗
- →Monitor for creation of new local user accounts (e.g., 'pentest') and addition to the local administrators group immediately following PRTG notification activity, as these are canonical post-exploitation actions. ↗
- ·Exploitation requires the attacker to already hold administrative credentials to the PRTG web console; this is not an unauthenticated vulnerability. ↗
- ·The Snort/Suricata rule (ET sid:2060348) is marked 'tls_state plaintext', meaning it will not detect exploitation over HTTPS/TLS-encrypted PRTG deployments.
- ·Notification IDs used during triggering start around 200 and may vary; the exploit iterates id=200 through id=250 but the actual ID may differ per installation. ↗
- ·The vulnerability is fixed in PRTG version 18.2.39 and fully addressed in 18.2.41.1652 (released June 2018); detection efforts should focus on unpatched instances. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cjqq-8xv6-575p: An issue was discovered in PRTG Network Monitor before 18
ghsa_unreviewed·2022-05-13
CVE-2018-9276 [HIGH] CWE-78 GHSA-cjqq-8xv6-575p: An issue was discovered in PRTG Network Monitor before 18
An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administrator web console with administrative privileges can exploit an OS command injection vulnerability (both on the server and on devices) by sending malformed parameters in sensor or notification management scenarios.
VulnCheck
Paessler PRTG Network Monitor OS Command Injection Vulnerability
vulncheck·2018·CVSS 7.2
CVE-2018-9276 [HIGH] CWE-78 Paessler PRTG Network Monitor OS Command Injection Vulnerability
Paessler PRTG Network Monitor OS Command Injection Vulnerability
Paessler PRTG Network Monitor contains an OS command injection vulnerability that allows an attacker with administrative privileges to execute commands via the PRTG System Administrator web console.
Affected: Paessler PRTG Network Monitor
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025
Exploit PoC: https://vulncheck.com/xdb/53b0e560b25a; https://vulncheck.com/xdb/6801ee3ef6bd; https://vulncheck.com/xdb/0086801811ed
Remediation Due: 2025-02-25
CISA
Paessler PRTG Network Monitor OS Command Injection Vulnerability
cisa·2025-02-04·CVSS 7.2
CVE-2018-9276 [HIGH] CWE-78 Paessler PRTG Network Monitor OS Command Injection Vulnerability
Vulnerability: Paessler PRTG Network Monitor OS Command Injection Vulnerability
Affected: Paessler PRTG Network Monitor
Paessler PRTG Network Monitor contains an OS command injection vulnerability that allows an attacker with administrative privileges to execute commands via the PRTG System Administrator web console.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.paessler.com/prtg/history/prtg-18#18.2.39 ; https://nvd.nist.gov/vuln/detail/CVE-2018-9276
Remediation Due Date: 2025-02-25
Suricata
ET WEB_SPECIFIC_APPS Paessler PRTG Notification Command Injection Attempt (CVE-2018-9276)
suricata·2025-02-24·CVSS 7.2
CVE-2018-9276 [HIGH] ET WEB_SPECIFIC_APPS Paessler PRTG Notification Command Injection Attempt (CVE-2018-9276)
ET WEB_SPECIFIC_APPS Paessler PRTG Notification Command Injection Attempt (CVE-2018-9276)
Rule: alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Paessler PRTG Notification Command Injection Attempt (CVE-2018-9276)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/editsettings"; http.header; content:"X-Requested-With|3a 20|XMLHttpRequest"; http.request_body; content:"message_10|3d|"; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2018-9276; reference:url,github.com/A1vinSmith/CVE-2018-9276/tree/main; classtype:attempted-admin; sid:2060348; rev:1; metadata:affected_product Paessler_PRTG, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_02_24, c
Exploit-DB
PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution
exploitdb·2019-03-11·CVSS 7.2
CVE-2018-9276 [HIGH] PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution
PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution
---
#!/bin/bash
echo -e "\n\e[00;33m[+]#########################################################################[+] \e[00m"
echo -e "\e[00;32m[*] Authenticated PRTG network Monitor remote code execution [*] \e[00m"
echo -e "\e[00;33m[+]#########################################################################[+] \e[00m"
echo -e "\e[00;32m[*] Date: 11/03/2019 [*] \e[00m"
echo -e "\e[00;33m[+]#########################################################################[+] \e[00m"
echo -e "\e[00;32m[*] Author: https://github.com/M4LV0 [email protected] [*] \e[00m"
echo -e "\e[00;33m[+]#########################################################################[+] \e[00m"
echo -e "\e[00;32m[*] Vendor Homepage: https://www.p
Metasploit
PRTG Network Monitor Authenticated RCE
metasploit
PRTG Network Monitor Authenticated RCE
PRTG Network Monitor Authenticated RCE
Notifications can be created by an authenticated user and can execute scripts when triggered. Due to a poorly validated input on the script name, it is possible to chain it with a user-supplied command allowing command execution under the context of privileged user. The module uses provided credentials to log in to the web interface, then creates and triggers a malicious notification to perform RCE using a Powershell payload. It may require a few tries to get a shell because notifications are queued up on the server. This vulnerability affects versions prior to 18.2.39. See references for more details about the vulnerability allowing RCE.
CTF
Netmon / README
ctf_writeups
Netmon / README
# Netmon
> Write-up author: jon-brandy
## DESCRIPTION:
- NONE
## HINT:
- NONE
## STEPS:
1. First, let's do nmap.
> RESULT
2. Based from the result here, we know that **anonymous ftp login allowed** and the machine seems running a web service at port 5985. Not only that there's **SMB** ports open.
3. And it seems there's a vuln with the smb service.
4. Anyway let's login with ftp.
> RESULT - INFORMATION GATHERING
5. Notice there's `user.txt` file, let's download that.
> RESULT
## USER FLAG
```
607cf9cc7557252d24df4bff40865833
```
6. Now let's open the host in the web browser.
> RESULT
7. I did a small outsource about `PRTG Network Monitor (NETMON) default credentials`.
> RESULT
```
https://www.192-168-1-1-ip.co/router/prtg/prtg-network-monitor/16981/
```
> RESULT
8. H
Bleepingcomputer
CISA tags Microsoft .NET and Apache OFBiz bugs as exploited in attacks
blogs_bleepingcomputer·2025-02-05·CVSS 7.5
[HIGH] CISA tags Microsoft .NET and Apache OFBiz bugs as exploited in attacks
## CISA tags Microsoft .NET and Apache OFBiz bugs as exploited in attacks
## Bill Toulas
The US Cybersecurity & Infrastructure Security Agency (CISA) has added four vulnerabilities to its Known Exploited Vulnerabilities catalog, urging federal agencies and large organizations to apply the available security updates as soon as possible.
Among them are flaws impacting Microsoft .NET Framework and Apache OFBiz (Open For Business), two widely used software applications.
Though the agency has marked those flaws as actively exploited in attacks, it has not provided specific details about the malicious activity, who is conducting it, and against whom.
The first flaw, tracked under CVE-2024-29059 , is a high severity (CVSS v3 score: 7.5) information disclosure bug in the .NET Framework discov
http://packetstormsecurity.com/files/148334/PRTG-Command-Injection.htmlhttp://packetstormsecurity.com/files/161183/PRTG-Network-Monitor-Remote-Code-Execution.htmlhttp://www.securityfocus.com/archive/1/542103/100/0/threadedhttps://www.exploit-db.com/exploits/46527/http://packetstormsecurity.com/files/148334/PRTG-Command-Injection.htmlhttp://packetstormsecurity.com/files/161183/PRTG-Network-Monitor-Remote-Code-Execution.htmlhttp://www.securityfocus.com/archive/1/542103/100/0/threadedhttps://www.exploit-db.com/exploits/46527/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-9276
2018-07-02
Published
2025-02-04
Added to CISA KEV
Exploited in the wild