Monitoring Software Checkmk: Update Closes Critical Cross-Site Scripting gap

A vulnerability in the network monitoring software Checkmk can allow attackers to inject JavaScript code – or even unauthorized commands into the operating system. It is a cross-site scripting vulnerability that its discoverers classify as critical.

The security vulnerability is described by SBA-Research specifically as Stored-Cross-Site-Scripting vulnerability. It can occur when Checkmk is operated in a distributed monitoring setup. In this case, any connected remote site can inject JavaScript code into the user interface of the central site (CVE-2025-39663, CVSS 9.1, Risk “critical”). Attackers who have control over a connected remote site can therefore gain control over web sessions by viewing the status of hosts or services of the remote site. If malicious actors attack an admin session, this enables code execution from the network (RCE) in the central site.

Proof-of-Concept Available

In the vulnerability description, the IT researchers also show a Proof-of-Concept (PoC) that exploits the vulnerability. They further demonstrate how, in attacked admin sessions, command execution in the operating system can occur as a result.

The recently released versions 2.4.0p14 and 2.3.0p39 of Checkmk close the security vulnerability. In their security advisory, the authors recommend updating to these versions promptly. Admins should also apply the updates quickly because attackers can easily exploit the vulnerability with the available PoC. The IT researchers from SBA-Research also recommend disabling the “Trust this site completely” option for all remote sites.

Checkmk recently released updated software, which closed a privilege escalation vulnerability in the Windows agent. With a CVSS score of 8.8, it was considered high risk and narrowly missed the critical status.

(dmk)