CVE-2025-64999
Received Received - Intake
Cross-Site Scripting in Checkmk Synthetic Monitoring Logs

Publication date: 2026-02-26

Last updated on: 2026-03-05

Assigner: Checkmk GmbH

Description
Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64999
EUVD
EUVD-2025-208119
Affected Vendors & Products
Showing 77 associated CPEs
Vendor Product Version / Range
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-64999 is a cross-site scripting (XSS) vulnerability in Checkmk versions 2.4.0 before 2.4.0p22 and 2.3.0 before 2.3.0p43. It occurs because the Checkmk user interface renders HTML logs generated by synthetic monitoring tests on hosts. An attacker who can manipulate a host's check output can inject malicious JavaScript into these HTML logs."}, {'type': 'paragraph', 'content': 'Normally, these logs are sandboxed inside an HTML iframe when viewed through the standard Checkmk UI, preventing malicious code execution. However, an attacker can craft phishing links that lead to pages rendering these logs without sandboxing, tricking users into executing the malicious scripts.'}, {'type': 'paragraph', 'content': 'These phishing links look like legitimate Checkmk UI URLs, making it easier to deceive users. The vulnerability affects all editions of Checkmk in default configurations, including Enterprise, Cloud, and MSP editions.'}] [1]

Impact Analysis

This vulnerability can lead to the execution of malicious JavaScript code in the context of the Checkmk user interface if a user clicks on a crafted phishing link.

The impact includes potential compromise of confidentiality, integrity, and availability of the system, as indicated by the high CVSS score of 7.3.

An attacker could use this to perform actions such as stealing sensitive information, hijacking user sessions, or executing unauthorized commands within the Checkmk UI.

Users are advised to avoid clicking on suspicious phishing links that resemble legitimate Checkmk URLs to mitigate this risk.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves malicious JavaScript injection into Synthetic Monitoring HTML logs via manipulated host check outputs. Detection involves monitoring for suspicious or unexpected JavaScript code within the Synthetic Monitoring logs rendered by Checkmk.

Since the vulnerability is related to crafted phishing links that render logs without sandboxing, detection can include analyzing web server logs or network traffic for unusual URLs resembling Checkmk UI URLs with suspicious parameters.

No specific commands are provided in the available resources to detect this vulnerability directly.

Mitigation Strategies

Immediate mitigation steps include applying the patch releases that fix this vulnerability, specifically upgrading to Checkmk versions 2.4.0p22 or later, or to unreleased versions 2.5.0b1 and 2.6.0b1 when available.

Users should avoid clicking on suspicious phishing links that resemble Checkmk UI URLs, as these can trigger the malicious JavaScript execution.

Ensure that the Checkmk UI is configured to sandbox HTML logs properly to prevent un-sandboxed rendering of malicious content.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64999. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart