CVE-2018-9276

EUVD-2018-20870
An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administrator web console with administrative privileges can exploit an OS command injection vulnerability (both on the server and on devices) by sending malformed parameters in sensor or notification management scenarios.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Affected Products (NVD)
VendorProductVersion
paesslerprtg_network_monitor
𝑥
< 18.2.39
paesslerprtg_network_monitor
19.3.52 <
𝑥
< 21.2.68
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/148334/PRTG-Command-Injection.html
http://packetstormsecurity.com/files/161183/PRTG-Network-Monitor-Remote-Code-Execution.html
http://www.securityfocus.com/archive/1/542103/100/0/threaded
https://www.exploit-db.com/exploits/46527/
http://packetstormsecurity.com/files/148334/PRTG-Command-Injection.html
http://packetstormsecurity.com/files/161183/PRTG-Network-Monitor-Remote-Code-Execution.html
http://www.securityfocus.com/archive/1/542103/100/0/threaded
https://www.exploit-db.com/exploits/46527/
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-9276