CVE-2018-9276 - PatchNow

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2018-07-02

Added to CISA KEV: 2025-02-04 2409 DAYS BETWEEN CVE AND KEV

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately update PRTG Network Monitor to version 18.2.39 or later
Review PRTG administrative access logs for suspicious command injection attempts
Consider restricting PRTG web console access to internal networks only via VPN
Implement network segmentation to limit impact of potential compromise
Patch priority: CRITICAL - especially for internet-facing instances

CVE-2018-9276 is an OS command injection vulnerability affecting Paessler PRTG Network Monitor versions prior to 18.2.39 ^[1].

Method: The vulnerability allows an attacker to execute arbitrary operating system commands on the server or on monitored devices by sending malformed parameters within sensor or notification management scenarios ^[1].
Requirements: Exploitation requires administrative privileges on the PRTG System Administrator web console ^[1]. It is not an unauthenticated vulnerability; the attacker must already have valid credentials (or gain them, such as through default credentials like `prtgadmin:prtgadmin`) to access the management interface ^[2].
Impact: Successful exploitation provides the attacker with the ability to execute commands with the privileges of the PRTG service, which typically results in full system compromise of the host machine ^[1].

Active Exploitation: There is no widely documented evidence of this specific CVE being a primary vector in major, large-scale ransomware campaigns or advanced persistent threat (APT) operations in the public record. However, because it is an authenticated command injection, it is frequently categorized as a post-exploitation or "privilege escalation" step for an attacker who has already gained initial access to the network or the PRTG console.
Proof-of-Concept (PoC): Publicly available exploit code exists for this vulnerability. Security researchers and penetration testers have published PoCs (e.g., on GitHub and Exploit-DB) that demonstrate how to use the vulnerability to obtain a reverse shell ^[2] ^[3].

Affected Versions: All PRTG Network Monitor versions prior to 18.2.39 are vulnerable ^[1].
Status: This vulnerability was addressed in 2018. Organizations using PRTG Network Monitor should ensure they are running a version significantly newer than 18.2.39 to protect against this and subsequent vulnerabilities. The primary mitigation is to update the software and ensure that administrative access to the PRTG console is strictly restricted and protected by strong, unique credentials.

CVE-2018-9276 Detail - NVD
An attacker who has access to the PRTG System Administrator web console with administrative privileges can exploit an OS command injection vulnerability. ... Description An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administrator web co…
CVE-2018-9276 PRTG < 18.2.39 Reverse Shell (Python3 support)
Usage. git clone https://github.com/A1vinSmith/CVE-2018-9276.git ./exploit. ... CVE-2018-9276 Authenticated Command Injection CVE-2018-9276 PRTG < 18.2.39 Reverse Shell (Python3 support) ... CVE-2018-9276 PRTG < 18.2.39 Reverse Shell (Python3 support). Dependancies. Impacket (python3 version)../expl…
GitHub - wildkindcc/CVE-2018-9276: CVE-2018-9276 PRTG < 18.2.39...
Assumptions. This is a point and shoot exploit, all you need to know are the admin credentials for the PRTG instance (default prtgadmin:prtgadmin). Depending on the configuration of the target machiene, your milage may vary.Educational purposes only etc etc. About. CVE-2018-9276 PRTG < 18.2.39 Authe…

🔴 CVE-2018-9276