CVE-2025-32918

8.8 HIGH

📋 TL;DR

This vulnerability allows authenticated users to inject arbitrary Livestatus commands through the RestAPI autocomplete endpoint in Checkmk. Attackers could execute unauthorized commands, potentially compromising the monitoring system. Affected users are those running Checkmk versions before the patched releases.

💻 Affected Systems

Products:

Checkmk

Versions: Checkmk <2.4.0p6, <2.3.0p35, <2.2.0p44, and 2.1.0 (EOL)

Operating Systems: Linux-based systems where Checkmk is deployed

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the RestAPI. Checkmk 2.1.0 is End of Life and will not receive patches.

📦 What is this software?

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Checkmk monitoring system, allowing execution of arbitrary Livestatus commands that could lead to data exfiltration, system manipulation, or lateral movement to monitored hosts.

🟠

Likely Case

Unauthorized access to monitoring data, manipulation of monitoring configurations, or denial of service to the Checkmk system.

🟢

If Mitigated

Limited impact due to proper authentication controls and network segmentation, potentially only affecting monitoring data visibility.

🌐 Internet-Facing: HIGH if Checkmk RestAPI is exposed to the internet, as authenticated users could exploit this remotely.

🏢 Internal Only: HIGH as authenticated internal users could exploit this to gain elevated privileges or compromise the monitoring infrastructure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to the RestAPI. The vulnerability is in the autocomplete endpoint where command delimiters are not properly neutralized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Checkmk 2.4.0p6, 2.3.0p35, or 2.2.0p44

Vendor Advisory: https://checkmk.com/werk/17987

Restart Required: Yes

Instructions:

1. Backup your Checkmk configuration. 2. Update to the patched version using your distribution's package manager. 3. Restart the Checkmk services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict RestAPI Access

linux

Limit access to the Checkmk RestAPI to trusted networks only using firewall rules.

iptables -A INPUT -p tcp --dport 5000 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 5000 -j DROP

Disable Autocomplete Endpoint

linux

Temporarily disable the vulnerable autocomplete endpoint if not required.

omd config set APACHE_TCP_PORT 0
omd restart apache

🧯 If You Can't Patch

Implement strict network segmentation to isolate Checkmk from untrusted networks.
Review and restrict user permissions to minimize the attack surface for authenticated users.

🔍 How to Verify

Check if Vulnerable:

Check your Checkmk version: omd version. If version is <2.4.0p6, <2.3.0p35, <2.2.0p44, or exactly 2.1.0, you are vulnerable.

Check Version:

omd version

Verify Fix Applied:

After patching, verify the version is 2.4.0p6, 2.3.0p35, or 2.2.0p44 or higher using: omd version

📡 Detection & Monitoring

Log Indicators:

Unusual Livestatus commands in Checkmk logs
Multiple failed authentication attempts followed by successful login and command execution

Network Indicators:

Unusual traffic patterns to the RestAPI autocomplete endpoint
Unexpected Livestatus queries from authenticated users

SIEM Query:

source="checkmk.log" AND "livestatus" AND "autocomplete" AND status=200

📊 Metadata

CVE ID: CVE-2025-32918

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-140

EPSS Score: 0.07% exploit probability (21th percentile)

Published: July 4, 2025

Last Updated: August 22, 2025

🔗 References

https://checkmk.com/werk/17987 Vendor Advisory