Checkmk: Highly risky cross-site scripting flaw in network monitoring software

Updated versions of the network monitoring software Checkmk are patching a security vulnerability. Attackers can smuggle malicious JavaScript into logs, which can be accessed via phishing links, for example.

According to the vulnerability description on GitHub, insufficient input filtering in Checkmk allows attackers to manipulate host check outputs and inject malicious JavaScript, which ends up in the “Synthetic Monitoring” HTML logs. If admins click on a prepared phishing link, the injected code can be executed when rendering the log entries in the Checkmk UI – the sandbox could be bypassed with phishing links (CVE-2025-64999, CVSS4 7.3, risk “high”).

Checkmk Vulnerability: Deviating Risk Assessment

However, deviating from Checkmk's classification, the CERT-Bund of the Federal Office for Information Security (BSI) considers the risk to be “critical.” The IT security experts arrive at their vulnerability report at the CVSS score of 9.0.

Checkmk versions prior to 2.4.0p22 from last week, as well as prior to 2.3.0p43, are affected. According to a statement from Checkmk, the developers have also fixed the vulnerability in the beta versions of Checkmk 2.5.0 and 2.6.0. IT managers should update to the error-corrected builds promptly.

At the end of October 2025, an update had already closed a cross-site scripting vulnerability in Checkmk. However, it was also classified as a critical security risk by the developers. The description of the vulnerability reads quite similarly. In distributed monitoring operations, connected remote sites could inject JavaScript code into the user interface of the central instance. However, clicking a phishing link was not necessary to start the malicious code there.

(dmk)