CVE-2025-67834 Overview
CVE-2025-67834 is a reflected cross-site scripting (XSS) vulnerability in Paessler PRTG Network Monitor versions prior to 25.4.114. The flaw allows an unauthenticated attacker to inject malicious script content through the filter parameter. When a victim interacts with a crafted link, the injected payload executes in the context of the victim's browser session. The vulnerability is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Unauthenticated attackers can execute arbitrary JavaScript in the browser of any user who visits a crafted URL, enabling session theft and unauthorized actions within PRTG.
Affected Products
- Paessler PRTG Network Monitor versions prior to 25.4.114
- Deployments exposing the PRTG web interface to untrusted networks
- All editions of PRTG Network Monitor below the patched release
Discovery Timeline
- 2026-01-14 - CVE-2025-67834 published to NVD
- 2026-01-20 - Last updated in NVD database
Technical Details for CVE-2025-67834
Vulnerability Analysis
The vulnerability stems from improper neutralization of user-supplied input in the filter parameter of the PRTG web interface. PRTG reflects the parameter value back into rendered HTML without adequate output encoding. An attacker can craft a URL containing JavaScript payloads that execute when a victim loads the page.
Exploitation requires user interaction, as indicated by the attack vector. The attacker typically delivers the crafted URL through phishing, chat platforms, or embedded links on third-party sites. No authentication is needed to construct the malicious request.
Because PRTG is a network monitoring product, administrators frequently access the console with privileged sessions. Successful exploitation can lead to session token theft, forced actions within the PRTG interface, or pivoting to sensitive monitoring data.
Root Cause
The root cause is missing or insufficient HTML output encoding on the filter query parameter. The application accepts the parameter from unauthenticated requests and writes it back into the response body where the browser interprets it as executable script.
Attack Vector
The attack is network-based and requires the victim to click a crafted link pointing at the vulnerable PRTG instance. The injected payload runs in the origin of the PRTG web application, giving the attacker access to cookies, DOM content, and any authenticated session state the victim holds. Refer to the Paessler Vulnerability Advisory for vendor-confirmed technical details.
Detection Methods for CVE-2025-67834
Indicators of Compromise
- HTTP requests to PRTG endpoints containing filter parameter values with <script>, javascript:, onerror=, or encoded variants of these strings
- Web access logs showing unusual referrers directing users to PRTG URLs with long or encoded query strings
- Unexpected outbound requests from administrator browsers to attacker-controlled domains shortly after accessing PRTG
Detection Strategies
- Inspect PRTG web server access logs for query strings containing HTML or script syntax in the filter parameter
- Deploy web application firewall (WAF) rules that flag reflected XSS patterns targeting PRTG endpoints
- Correlate browser telemetry from administrator workstations with PRTG access events to identify suspicious script execution
Monitoring Recommendations
- Forward PRTG web server and proxy logs to a centralized SIEM for query parameter inspection
- Alert on PRTG sessions originating from unexpected geographies or producing anomalous API call volumes
- Track Content Security Policy (CSP) violation reports if CSP headers are enforced in front of PRTG
How to Mitigate CVE-2025-67834
Immediate Actions Required
- Upgrade PRTG Network Monitor to version 25.4.114 or later as published in the Paessler advisory
- Restrict access to the PRTG web interface to trusted management networks using firewall or VPN controls
- Instruct administrators to avoid clicking unverified PRTG links received through email or chat
Patch Information
Paessler released a fixed build in PRTG Network Monitor version 25.4.114. Refer to the Paessler Vulnerability Advisory for download links and upgrade instructions.
Workarounds
- Place PRTG behind a reverse proxy or WAF that strips or encodes script content in the filter parameter
- Enforce a strict Content Security Policy that blocks inline script execution on PRTG pages
- Limit administrator browser sessions to PRTG-only browsing profiles to reduce phishing exposure
# Example WAF rule (ModSecurity) blocking script payloads in the filter parameter
SecRule ARGS:filter "@rx (?i)(<script|javascript:|onerror=|onload=)" \
"id:1009001,phase:2,deny,status:403,log,msg:'CVE-2025-67834 PRTG XSS attempt blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
