Rapid7 Vulnerability & Exploit Database

PRTG Network Monitor Authenticated RCE

Back to Search

PRTG Network Monitor Authenticated RCE



Notifications can be created by an authenticated user and can execute scripts when triggered. Due to a poorly validated input on the script name, it is possible to chain it with a user-supplied command allowing command execution under the context of privileged user. The module uses provided credentials to log in to the web interface, then creates and triggers a malicious notification to perform RCE using a Powershell payload. It may require a few tries to get a shell because notifications are queued up on the server. This vulnerability affects versions prior to 18.2.39. See references for more details about the vulnerability allowing RCE.


  • Josh Berry <josh.berry@codewatch.org>
  • Julien Bedel <contact@julienbedel.com>




x86, x64


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/http/prtg_authenticated_rce
msf exploit(prtg_authenticated_rce) > show targets
msf exploit(prtg_authenticated_rce) > set TARGET < target-id >
msf exploit(prtg_authenticated_rce) > show options
    ...show and set options...
msf exploit(prtg_authenticated_rce) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security