CVE-2025-64998
Session Signing Secret Exposure in Checkmk Enables Remote Session Hijack
Publication date: 2026-03-24
Last updated on: 2026-03-24
Assigner: Checkmk GmbH
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| checkmk | checkmk | to 2.3.0p45 (exc) |
| checkmk | checkmk | to 2.2.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the fix provided by Checkmk which removes the copying of the session signing secret to remote sites and disables the legacy user-sync automation.
No manual interaction is needed to apply the fix, so updating to the patched versions (2.4.0p23, 2.3.0p45, or later) is recommended.
Can you explain this vulnerability to me?
CVE-2025-64998 is a security vulnerability in Checkmk versions 2.4.0p23, 2.3.0p45, and 2.2.0 that affects distributed setups with configuration synchronization enabled.
The issue occurs because the secret used to sign session cookies is copied to remote sites during configuration synchronization. Additionally, a legacy user-sync automation synchronizes user sessions.
This allows an administrator of a remote site, if compromised, to hijack sessions on the central site by using knowledge of the signing secret and a valid session ID to forge valid session cookies.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can allow an attacker who has administrator access to a remote site to hijack sessions on the central Checkmk site.'}, {'type': 'paragraph', 'content': 'By forging valid session cookies, the attacker can impersonate legitimate users on the central site, potentially gaining unauthorized access to sensitive information or administrative functions.'}, {'type': 'paragraph', 'content': 'Indicators of compromise include HTTP requests containing "&command=push-profile&" in their path, which can be detected in trustworthy web logs.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP requests for indicators of compromise. Specifically, look for HTTP requests containing the string "&command=push-profile&" in their path, which is a sign of exploitation attempts.'}, {'type': 'paragraph', 'content': 'To detect this on your system or network, you can search your web server logs or proxy logs for this pattern.'}, {'type': 'list_item', 'content': "Use grep or similar tools to search logs: grep '&command=push-profile&' /path/to/webserver/access.log"}, {'type': 'list_item', 'content': 'Use network monitoring tools to filter HTTP traffic containing the suspicious command string.'}] [1]