Vulnerabilities ›

CVE-2025-64999

Medium

CWE-79 — Weakness Type

                    Published: Feb 26, 2026                      ·  Modified: Mar 5, 2026                      ·  Source: NVD                

CVSS v3

5.4

🔗 NVD Official

📄 Description (English)

Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link.

🤖 AI Executive Summary

CVE-2025-64999 is a stored cross-site scripting (XSS) vulnerability in Checkmk monitoring software affecting versions 2.3.0 before p43 and 2.4.0 before p22. An attacker with the ability to manipulate host check outputs can inject malicious JavaScript into Synthetic Monitoring HTML logs, which executes when accessed via phishing links. While currently unpatched, the attack requires internal access to manipulate check outputs, limiting immediate external threat but posing significant risk to monitoring infrastructure integrity.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 26, 2026 10:19

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using Checkmk for infrastructure monitoring face moderate risk. Primary impact sectors include: (1) Government agencies and NCA using Checkmk for IT infrastructure monitoring; (2) Banking sector (SAMA-regulated) using Checkmk for system health monitoring; (3) Energy sector (ARAMCO and related entities) relying on Checkmk for critical infrastructure monitoring; (4) Telecom operators (STC, Mobily) using Checkmk for network monitoring. The vulnerability requires internal access to manipulate check outputs, making it primarily a risk from compromised monitoring agents or insider threats. However, successful exploitation could lead to credential theft, lateral movement, or system compromise through phishing links sent to monitoring personnel.

🏢 Affected Saudi Sectors

Government Banking Energy Telecommunications Healthcare Critical Infrastructure

🎯 MITRE ATT&CK Techniques

T1059 - Command and Scripting Interpreter T1566.002 - Phishing: Spearphishing Link T1598 - Phishing for Information T1539 - Steal Web Session Cookie T1056.004 - Keylogging T1190 - Exploit Public-Facing Application

⚖️ Saudi Risk Score (AI)

5.8

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all Checkmk instances in your environment running versions 2.3.0 (before p43) or 2.4.0 (before p22)

2. Restrict access to Checkmk monitoring interfaces to authorized personnel only

3. Implement network segmentation to isolate Checkmk infrastructure from untrusted networks

4. Review and audit all monitoring agent configurations for unauthorized modifications

Patching Guidance:

1. Upgrade Checkmk 2.3.0 installations to version 2.3.0p43 or later

2. Upgrade Checkmk 2.4.0 installations to version 2.4.0p22 or later

3. Test patches in non-production environments before deployment

4. Schedule maintenance windows for production upgrades

Compensating Controls (if patching delayed):

1. Implement Web Application Firewall (WAF) rules to detect and block JavaScript injection patterns in Checkmk logs

2. Deploy Content Security Policy (CSP) headers to prevent inline script execution

3. Enforce strict input validation on all monitoring agent outputs

4. Implement HTML entity encoding for all user-controllable data in log displays

5. Use security headers: X-Content-Type-Options: nosniff, X-Frame-Options: DENY

Detection Rules:

1. Monitor for suspicious JavaScript patterns in check output data: <script>, javascript:, onerror=, onload=

2. Alert on unusual modifications to monitoring agent configurations

3. Track access to Synthetic Monitoring HTML logs from external or suspicious sources

4. Monitor for phishing emails containing Checkmk log links with encoded payloads

5. Implement SIEM rules to detect XSS payload indicators in Checkmk API calls and log submissions

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع مثيلات Checkmk في بيئتك التي تعمل بالإصدارات 2.3.0 (قبل p43) أو 2.4.0 (قبل p22)

2. تقييد الوصول إلى واجهات مراقبة Checkmk للموظفين المصرح لهم فقط

3. تنفيذ تقسيم الشبكة لعزل بنية Checkmk الأساسية عن الشبكات غير الموثوقة

4. مراجعة وتدقيق جميع تكوينات وكيل المراقبة للتعديلات غير المصرح بها

إرشادات التصحيح:

1. ترقية تثبيتات Checkmk 2.3.0 إلى الإصدار 2.3.0p43 أو أحدث

2. ترقية تثبيتات Checkmk 2.4.0 إلى الإصدار 2.4.0p22 أو أحدث

3. اختبار التصحيحات في بيئات غير الإنتاج قبل النشر

4. جدولة نوافذ الصيانة لترقيات الإنتاج

الضوابط البديلة (إذا تأخر التصحيح):

1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن أنماط حقن JavaScript وحجبها في سجلات Checkmk

2. نشر رؤوس سياسة الأمان (CSP) لمنع تنفيذ البرامج النصية المضمنة

3. فرض التحقق الصارم من الإدخال على جميع مخرجات وكيل المراقبة

4. تنفيذ ترميز كيان HTML لجميع البيانات القابلة للتحكم من قبل المستخدم في عروض السجل

5. استخدام رؤوس الأمان: X-Content-Type-Options: nosniff, X-Frame-Options: DENY

قواعد الكشف:

1. مراقبة أنماط JavaScript المريبة في بيانات مخرجات الفحص: <script>, javascript:, onerror=, onload=

2. التنبيه على التعديلات غير العادية على تكوينات وكيل المراقبة

3. تتبع الوصول إلى سجلات المراقبة الاصطناعية من مصادر خارجية أو مريبة

4. مراقبة رسائل البريد الإلكتروني للتصيد الاحتيالي التي تحتوي على روابط سجل Checkmk بحمولات مشفرة

5. تنفيذ قواعس SIEM للكشف عن مؤشرات حمولة XSS في استدعاءات Checkmk API وتقديمات السجل

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.14.2.1 - Information security requirements for supplier relationships ECC 2024 A.14.2.5 - Addressing information security in supplier agreements ECC 2024 A.5.23 - Web application security controls ECC 2024 A.6.14 - Secure development and change management

🔵 SAMA CSF

SAMA CSF 1.1 - Governance and Risk Management SAMA CSF 2.2 - Information and Communications Technology (ICT) Security SAMA CSF 2.2.1 - Access Control and Authentication SAMA CSF 2.2.2 - Data Protection and Encryption SAMA CSF 2.2.4 - Monitoring and Incident Management

🟡 ISO 27001:2022

ISO 27001:2022 A.5.23 - Web application security ISO 27001:2022 A.6.5 - Access control ISO 27001:2022 A.8.22 - Monitoring activities ISO 27001:2022 A.8.28 - Secure coding

🟣 PCI DSS v4.0.1

PCI DSS 6.5.1 - Injection flaws prevention PCI DSS 6.5.7 - Cross-site scripting (XSS) prevention PCI DSS 11.3 - Penetration testing and vulnerability scanning

🔗 References & Sources 1

🔗

https://checkmk.com/werk/19238

security@checkmk.com

Vendor Advisory

📦 Affected Products / CPE 50 entries

checkmk:checkmk:2.3.0

checkmk:checkmk:2.4.0

📊 CVSS Score

5.4

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionR — Required

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score5.4

CWECWE-79

Exploit No

Patch ✗ No

Published 2026-02-26

Source Feed nvd

🇸🇦 Saudi Risk Score

5.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-79

🏢 Vendor Advisories

🔗 https://checkmk.com/werk/19238

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2025-64999

Introduce Yourself

Sign In Required