CVE-2025-58123
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-28

Last updated on: 2025-09-23

Assigner: Checkmk GmbH

Description
Improper Certificate Validation in Checkmk Exchange plugin BGP Monitoring allows attackers in MitM position to intercept traffic.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-28
Last Modified
2025-09-23
Generated
2026-06-16
AI Q&A
2025-08-28
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58123
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oetiker bgp_monitoring *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an improper certificate validation issue in the Checkmk Exchange BGP Monitoring plugin. It allows attackers who are in a Man-in-the-Middle (MitM) position to intercept network traffic by exploiting the plugin's failure to properly validate certificates during communication. [1]

Impact Analysis

The vulnerability can allow attackers positioned between the user and the monitored devices to intercept and potentially manipulate sensitive network traffic. This could lead to unauthorized access to network data, disruption of BGP session monitoring, and compromise of network security. [1]

Detection Guidance

Detection can involve monitoring for unusual BGP session behaviors or intercept attempts related to the Checkmk Exchange BGP Monitoring plugin. Since the plugin uses SSH to access Huawei switches via the pexpect library, inspecting SSH session logs for anomalies may help. Additionally, verifying the plugin version (should be 0.2.13 or later) and checking the MD5 hash of the plugin files (expected 15a37f2c92a4c1b0d7bf15a9a227b856) can help identify vulnerable installations. Specific commands might include checking the plugin version within Checkmk and verifying file hashes on the system. However, no explicit detection commands are provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include disabling or removing the vulnerable Checkmk Exchange BGP Monitoring plugin, especially since Checkmk warns that the plugin may not be safe to use. Ensuring that Checkmk is updated to version 2.2.0p18 or higher and verifying that the plugin is updated to the latest version (0.2.13) may reduce risk. Additionally, monitoring and restricting SSH access to Huawei switches and other devices involved can help limit exposure. Since the vulnerability involves improper certificate validation allowing Man-in-the-Middle attacks, implementing network-level protections such as enforcing strict SSH key verification and using secure communication channels is advisable. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58123. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart