CVE-2025-64999
Cross-Site Scripting in Checkmk Synthetic Monitoring Logs
Publication date: 2026-02-26
Last updated on: 2026-03-05
Assigner: Checkmk GmbH
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2025-64999 is a cross-site scripting (XSS) vulnerability in Checkmk versions 2.4.0 before 2.4.0p22 and 2.3.0 before 2.3.0p43. It occurs because the Checkmk user interface renders HTML logs generated by synthetic monitoring tests on hosts. An attacker who can manipulate a host's check output can inject malicious JavaScript into these HTML logs."}, {'type': 'paragraph', 'content': 'Normally, these logs are sandboxed inside an HTML iframe when viewed through the standard Checkmk UI, preventing malicious code execution. However, an attacker can craft phishing links that lead to pages rendering these logs without sandboxing, tricking users into executing the malicious scripts.'}, {'type': 'paragraph', 'content': 'These phishing links look like legitimate Checkmk UI URLs, making it easier to deceive users. The vulnerability affects all editions of Checkmk in default configurations, including Enterprise, Cloud, and MSP editions.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to the execution of malicious JavaScript code in the context of the Checkmk user interface if a user clicks on a crafted phishing link.
The impact includes potential compromise of confidentiality, integrity, and availability of the system, as indicated by the high CVSS score of 7.3.
An attacker could use this to perform actions such as stealing sensitive information, hijacking user sessions, or executing unauthorized commands within the Checkmk UI.
Users are advised to avoid clicking on suspicious phishing links that resemble legitimate Checkmk URLs to mitigate this risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves malicious JavaScript injection into Synthetic Monitoring HTML logs via manipulated host check outputs. Detection involves monitoring for suspicious or unexpected JavaScript code within the Synthetic Monitoring logs rendered by Checkmk.
Since the vulnerability is related to crafted phishing links that render logs without sandboxing, detection can include analyzing web server logs or network traffic for unusual URLs resembling Checkmk UI URLs with suspicious parameters.
No specific commands are provided in the available resources to detect this vulnerability directly.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patch releases that fix this vulnerability, specifically upgrading to Checkmk versions 2.4.0p22 or later, or to unreleased versions 2.5.0b1 and 2.6.0b1 when available.
Users should avoid clicking on suspicious phishing links that resemble Checkmk UI URLs, as these can trigger the malicious JavaScript execution.
Ensure that the Checkmk UI is configured to sandbox HTML logs properly to prevent un-sandboxed rendering of malicious content.