Executive Summary

What happened?

Paessler and USD HeroLabs, a security research firm, arranged a joint public disclosure of three vulnerabilities (CVE-2025-67833, CVE-2025-67834, CVE-2025-67835) on January 13, 2026. Vulnerability and Proof Of Concept will be shared by USD HeroLabs on January 19.
 

What did we do and what is the outcome?

Paessler took action to release a new version of PRTG that contained fixes for the vulnerabilities. The vulnerabilities were fixed in PRTG version 25.4.114.1032, released on November 26, 2025.


Issue Details

Introduction

At Paessler, we are committed to ensuring the security and reliability of our products. Recently, we worked with USD HeroLabs to fix and jointly disclose 3 vulnerabilities in our PRTG Product. This article outlines our response and the steps we have taken to protect your systems and enhance our processes.


Description of the Vulnerabilities

CVE-2025-67833 CVSS v.3.1 Base Score High (8.1)

We fixed a reflected Cross-Site Scripting (XSS) vulnerability in the tag parameter. An attacker could inject and execute arbitrary JavaScript code in the user's browser context. To perform a reflective XSS attack, an attacker has to induce the victim to issue a malicious request, for example, by providing a prepared link.

CVE-2025-67834 CVSS v.3.1 Base Score High (8.1)

We fixed a reflected Cross-Site Scripting (XSS) vulnerability in the filter parameter. An attacker could inject and execute arbitrary JavaScript code in the user's browser context. To perform a reflective XSS attack, an attacker has to induce the victim to issue a malicious request, for example, by providing a prepared link.

CVE-2025-67835 CVSS v.3.1 Base Score Low (3.5)

We fixed a Denial-of-Service (DoS) vulnerability in the Notification Contacts functionality. An authenticated attacker could cause service disruption.


Potential Impact

  • Paessler has categorized the vulnerabilities as Important.
  • An attacker can exploit the XSS vulnerabilities by crafting malicious links that the Paessler user must click. If clicked, the attacker can steal the session cookie and assume the user’s privileges to steal data or perform unauthorized actions with the rights of the user.
  • For CVE-2025-67835, an attacker could potentially impair functionality of the Notification Contacts page by sending a request with an invalid value.
  • Confidentiality, Integrity and availability are highly affected due to privilege escalation.
  • There is no indication that the vulnerability was exploited by attackers.