EUVD-2025-208958

| CVE-2025-64998 HIGH
2026-03-24 Checkmk GHSA-6642-x6x4-g343
7.3
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P

Lifecycle Timeline

3
Analysis Generated
Mar 24, 2026 - 11:45 vuln.today
EUVD ID Assigned
Mar 24, 2026 - 11:45 euvd
EUVD-2025-208958
CVE Published
Mar 24, 2026 - 11:25 nvd
HIGH 7.3

Tags

Checkmk Information Disclosure Authentication Bypass Session Fixation

Description

Exposure of session signing secret in Checkmk <2.4.0p23, <2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies.

Analysis

Checkmk exposes its session signing secret in configurations synchronized between remote and central sites, allowing a remote site administrator to forge valid session cookies and hijack user sessions on the central monitoring instance. This vulnerability affects Checkmk versions prior to 2.4.0p23, 2.3.0p45, and all 2.2.0 releases when configuration synchronization is enabled. An attacker with administrative privileges on a remote Checkmk site can leverage this exposure to impersonate any user, including central site administrators, potentially gaining complete control over the monitoring infrastructure.

Technical Context

Checkmk is a comprehensive infrastructure and application monitoring platform (cpe:2.3:a:checkmk_gmbh:checkmk) that uses distributed architectures with central and remote sites that can synchronize configurations. Session management in Checkmk relies on cryptographic signing of session cookies using a shared secret. The vulnerability stems from CWE-522 (Insufficiently Protected Credentials), where the session signing secret is exposed through the configuration synchronization mechanism intended to replicate settings between sites. When config sync is enabled, the sensitive cryptographic material that protects session integrity is transmitted or stored in a manner accessible to remote site administrators, breaking the principle of least privilege and allowing credential material to be accessed by users who should not have access to central site session secrets.

Affected Products

Checkmk versions prior to 2.4.0p23, 2.3.0p45, and all versions in the 2.2.0 release branch are affected when configuration synchronization is enabled. The vulnerability is confirmed via the vendor CPE designation cpe:2.3:a:checkmk_gmbh:checkmk and is documented in the official Checkmk security advisory at https://checkmk.com/werk/18954. Organizations running Checkmk in distributed monitoring setups with synchronized configurations between central and remote sites should prioritize inventory of affected versions.

Remediation

Upgrade Checkmk immediately to version 2.4.0p23 or later, 2.3.0p45 or later, or migrate away from the 2.2.0 branch which is no longer receiving patches. The upgrade process should include regeneration of session signing secrets post-patching to invalidate any secrets potentially exposed prior to the update. As an interim mitigation for organizations unable to patch immediately, disable configuration synchronization from remote sites if operationally feasible, or implement strict network-level access controls to prevent untrusted remote site administrators from accessing configuration endpoints. Additionally, audit remote site administrator accounts and session logs for any suspicious activity that may indicate prior exploitation. Refer to the official Checkmk security advisory at https://checkmk.com/werk/18954 for detailed patching instructions and additional guidance.

Priority Score

37
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

EUVD-2025-208958 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy