CVE-2018-9276

Exploitation Summary

CVE-2018-9276 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 4, 2025. EIP tracks 9 public exploits from researchers including M4LV0, wildkindcc, BardLaudian, including a Metasploit module exploits/windows/http/prtg_authenticated_rce.

AI-analyzed exploit summary This exploit leverages an authenticated RCE vulnerability in PRTG Network Monitor by creating malicious notifications that execute arbitrary commands via crafted file writes and PowerShell execution. It adds a new admin user 'pentest' with a known password.

Description

An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administrator web console with administrative privileges can exploit an OS command injection vulnerability (both on the server and on devices) by sending malformed parameters in sensor or notification management scenarios.

Exploits (9)

exploitdb WORKING POC

by M4LV0 · bashwebappswindows

https://www.exploit-db.com/exploits/46527

View Code ZIP pw:eip

This exploit leverages an authenticated RCE vulnerability in PRTG Network Monitor by creating malicious notifications that execute arbitrary commands via crafted file writes and PowerShell execution. It adds a new admin user 'pentest' with a known password.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PRTG Network Monitor 18.2.38

Auth required

Prerequisites: Valid PRTG credentials · Access to the PRTG web interface · Cookie session for authenticated requests

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1133 - External Remote Services T1098 - Account Manipulation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 36 stars

by wildkindcc · remote

https://github.com/wildkindcc/CVE-2018-9276

View Code ZIP pw:eip

This is a Python-based exploit for CVE-2018-9276, an authenticated command injection vulnerability in PRTG Network Monitor versions prior to 18.2.39. The exploit automates the process of obtaining a session, creating a malicious file, and executing a reverse shell payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PRTG Network Monitor < 18.2.39

Auth required

Prerequisites: Valid administrator credentials for PRTG · Network access to the PRTG server · Python environment with required dependencies

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1078 - Valid Accounts T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by BardLaudian · remote-auth

https://github.com/BardLaudian/CVE_2018_9276

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2018-9276, targeting PRTG Network Monitor versions prior to 18.2.39. The exploit leverages authenticated command injection via the notifications feature to achieve remote code execution as Local System.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PRTG Network Monitor < 18.2.39

Auth required

Prerequisites: Valid PRTG credentials · Network access to target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 14, 2026 Full analysis →

nomisec WORKING POC

by AC8999 · remote-auth

https://github.com/AC8999/PRTG-Network-Monitor-18.2.38---Authenticated-Remote-Code-Execution-CVE-2018-9276

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2018-9276, an authenticated remote code execution vulnerability in PRTG Network Monitor 18.2.38. The exploit leverages an unsanitized 'message_10' parameter in the notification system to inject and execute arbitrary commands via a crafted EXE/Script notification.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PRTG Network Monitor 18.2.38

Auth required

Prerequisites: valid PRTG admin credentials · network access to the PRTG instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 10, 2026 Full analysis →

nomisec WORKING POC

by alvinsmith-eroad · remote

https://github.com/alvinsmith-eroad/CVE-2018-9276

View Code ZIP pw:eip

This repository contains a Python3 exploit for CVE-2018-9276, an authenticated command injection vulnerability in PRTG Network Monitor versions prior to 18.2.39. The exploit leverages Impacket for SMB operations and establishes a reverse shell via crafted notifications.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PRTG Network Monitor < 18.2.39

Auth required

Prerequisites: Valid PRTG credentials (default: prtgadmin:prtgadmin) · Network access to target PRTG server · SMB port (445) accessible for reverse shell

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application T1021.002 - SMB/Windows Admin Shares

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by andyfeili · poc

https://github.com/andyfeili/CVE-2018-9276

View Code ZIP pw:eip

This script exploits an authenticated RCE vulnerability in PRTG Network Monitor by creating malicious notifications that execute arbitrary commands via file creation and user addition. It leverages the notification system to trigger payload execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PRTG Network Monitor 18.2.38

Auth required

Prerequisites: Valid PRTG credentials · Session cookie for authenticated requests

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1133 - External Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote-auth

https://github.com/backglass/exploit_prtg

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2018-9276, a command injection vulnerability in PRTG Network Monitor. The exploit leverages the `message_10` parameter in a POST request to execute arbitrary commands, specifically adding a new user with administrative privileges.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PRTG Network Monitor (versions affected by CVE-2018-9276)

Auth required

Prerequisites: Valid credentials for PRTG admin account · Network access to the PRTG server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/a1vinsmith/cve-2018-9276

View Code ZIP pw:eip

This repository contains a functional Python3 exploit for CVE-2018-9276, an authenticated command injection vulnerability in PRTG Network Monitor versions prior to 18.2.39. The exploit leverages Impacket for SMB operations and establishes a reverse shell via crafted HTTP requests to the PRTG API.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PRTG Network Monitor < 18.2.39

Auth required

Prerequisites: valid PRTG credentials (default: prtgadmin:prtgadmin) · network access to target · Impacket library · netcat/msfvenom for payload generation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/prtg_authenticated_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated RCE vulnerability in PRTG Network Monitor by creating and triggering a malicious notification with a PowerShell payload. The exploit chains poorly validated input in the script name to execute arbitrary commands under a privileged context.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PRTG Network Monitor versions prior to 18.2.39

Auth required

Prerequisites: Valid PRTG admin credentials · Network access to the PRTG web interface

MITRE ATT&CK

T1059.001 - PowerShell T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-9276

Exploit, Mitigation, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/148334/PRTG-Command-Injection.html

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46527/

Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/542103/100/0/threaded

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/161183/PRTG-Network-Monitor-Remote-Code-Execution.html

PRTG Network Monitor < 18.2.39 - Authenticated OS Command Injection via Sensor or Notification Parameters

Exploitation Summary

Description

Exploits (9)

References (5)

Scores

CISA SSVC

Details