CVE-2025-58123
BaseFortify
Publication date: 2025-08-28
Last updated on: 2025-09-23
Assigner: Checkmk GmbH
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oetiker | bgp_monitoring | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an improper certificate validation issue in the Checkmk Exchange BGP Monitoring plugin. It allows attackers who are in a Man-in-the-Middle (MitM) position to intercept network traffic by exploiting the plugin's failure to properly validate certificates during communication. [1]
How can this vulnerability impact me? :
The vulnerability can allow attackers positioned between the user and the monitored devices to intercept and potentially manipulate sensitive network traffic. This could lead to unauthorized access to network data, disruption of BGP session monitoring, and compromise of network security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for unusual BGP session behaviors or intercept attempts related to the Checkmk Exchange BGP Monitoring plugin. Since the plugin uses SSH to access Huawei switches via the pexpect library, inspecting SSH session logs for anomalies may help. Additionally, verifying the plugin version (should be 0.2.13 or later) and checking the MD5 hash of the plugin files (expected 15a37f2c92a4c1b0d7bf15a9a227b856) can help identify vulnerable installations. Specific commands might include checking the plugin version within Checkmk and verifying file hashes on the system. However, no explicit detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or removing the vulnerable Checkmk Exchange BGP Monitoring plugin, especially since Checkmk warns that the plugin may not be safe to use. Ensuring that Checkmk is updated to version 2.2.0p18 or higher and verifying that the plugin is updated to the latest version (0.2.13) may reduce risk. Additionally, monitoring and restricting SSH access to Huawei switches and other devices involved can help limit exposure. Since the vulnerability involves improper certificate validation allowing Man-in-the-Middle attacks, implementing network-level protections such as enforcing strict SSH key verification and using secure communication channels is advisable. [1]