CVE-2018-9276
Published: 02 July 2018
Summary
CVE-2018-9276 is a high-severity OS Command Injection (CWE-78) vulnerability in Paessler Prtg Network Monitor. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2018-9276 is an OS command injection vulnerability, tracked under CWE-78, that affects PRTG Network Monitor versions prior to 18.2.39. The flaw resides in the web console's handling of sensor and notification management functions, where insufficient input validation on administrative parameters permits arbitrary operating system commands to be executed on both the monitoring server and managed devices.
An attacker with authenticated access to the PRTG System Administrator console and administrative privileges can exploit the issue by submitting specially crafted parameters. Successful exploitation grants the ability to run arbitrary commands with high impact on confidentiality, integrity, and availability, corresponding to the CVSS 7.2 rating that reflects network-accessible attack vectors requiring only high privileges and no user interaction.
Public exploit code and proof-of-concept reports have been published on Exploit-DB and PacketStorm, confirming that working remote code execution payloads targeting the sensor and notification interfaces are readily available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-20870
Vulnerability details
An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administrator web console with administrative privileges can exploit an OS command injection vulnerability (both on the server and on devices) by…
more
sending malformed parameters in sensor or notification management scenarios.
- CWE(s)
- KEV Date Added
- 04 February 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to sensor/notification management functions, blocking the malformed parameters that enable OS command injection under CWE-78.
Enforces least privilege so that only the minimal set of administrative accounts can reach the sensor and notification interfaces where the injection occurs.
Mandates timely application of the vendor patch (PRTG 18.2.39+) that eliminates the command-injection flaw in the web console.