CVE-2022-35739 - Arbitrary CSS Injection in PRTG Network Monitor—What You Need to Know

CVE ID: CVE-2022-35739  
Product: PRTG Network Monitor  
Version Affected: Up to 22.2.77.2204  
Severity: Medium  
Exploitability: Local Access (Authenticated User)

Introduction

In 2022, a vulnerability was discovered in PRTG Network Monitor, a widely used network monitoring platform. This vulnerability, tracked as CVE-2022-35739, allowed authenticated users to inject arbitrary CSS into device pages by modifying the “icon” field for devices. Although the vulnerability does not allow direct JavaScript execution (XSS), the potential impact should still be understood by network admins running affected versions.

Let’s break the findings down, step by step, in simple language—along with code snippets, exploit details, and mitigation guidance.

The Root Cause

PRTG Network Monitor lets users add devices and customize details, including choosing a custom icon. Normally, you expect only safe icons or limited fields. However, versions up to 22.2.77.2204 did not validate user input when customizing a device’s icon.

The custom input for an icon could be manipulated to inject arbitrary CSS into the device’s page, via the style tag. That means, whatever CSS rules you typed, would be added to the page every time anyone opened that device's information.

1. Editing the Device's Icon

A user with login access can go to any device and edit its properties, specifically the icon field.

2. Inserting Malicious CSS

Instead of choosing a normal image or icon tag, the user enters CSS code that changes how the device’s page looks — or even hides information from the page for other users!

Example CSS Injection

Suppose there’s a field in the device edit form called "Icon".

An attacker might enter the following

} body { background-color: red; } /*

The next part (body { background-color: red; }) injects a new CSS rule.

- The closing comment (/*) helps the attacker prevent syntax errors if anything follows.

What Happens Next?

When any admin or user views this device’s page in PRTG, the background color changes to red. This is just a simple demonstration; with more control, an attacker could hide elements, make text unreadable, or alter the appearance to confuse users.

Exploit Details

PRTG does try to filter input and prevent JavaScript, but CSS is still very powerful.

- No JavaScript: Browsers do NOT run JavaScript inside <style> tags, so this is NOT an XSS (cross-site scripting) bug.
- Impact: Attacker can visually mess with the UI or make some info invisible, but cannot steal data or run scripts directly through this vector.
- Who Can Exploit It: Only authenticated users — typically, you need to be logged in and able to edit device information.

`

} #main_message { display: none; } /*

Go to the device’s page—notice elements are missing!

You can get more creative, too; highlight texts, move buttons, or even overlay “warning” banners by injecting arbitrary CSS.

Example: Hiding Alert Messages

Suppose you want to hide the main message section, which could be used to trick other users.

CSS Payload

} #main_message { display: none; } /*

Result:
The alert box or important system message disappears from the UI for anyone viewing that device's page!

Limitations & Security Controls

- NOT XSS: You cannot inject JavaScript, so you cannot easily steal cookies or send malicious requests.
- Limited Damage: This works only for users who can edit device icons—no anonymous or external attack.
- Modern Browser Protections: Modern browsers block JavaScript inside <style>, and PRTG still filters out the most dangerous characters.

Mitigation & Patches

Paessler, the vendor behind PRTG, has released an update fixing this bug by sanitizing the input for device icons.

Patch Version: Fix released after 22.2.77.2204.

- Upgrade Immediately: Go to PRTG Downloads and update to the latest version.

References

- Official CVE Record
- PRTG Release Notes
- Exploit Details on Exploit-DB

Conclusion

CVE-2022-35739 may not allow full-blown code execution, but CSS-based attacks can still cause confusion and disrupt monitoring interfaces. If you are running PRTG Network Monitor version 22.2.77.2204 or below, update right now to keep your network safe — especially from mischievous insiders!

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/28/2022 19:51:00 UTC