CVE-2025-39663

8.4 HIGH

Cross-Site Scripting

📋 TL;DR

A Cross-Site Scripting (XSS) vulnerability in Checkmk's distributed monitoring allows a compromised remote monitoring site to inject malicious HTML/JavaScript into service outputs displayed on the central site. This affects Checkmk installations with distributed monitoring configurations where untrusted remote sites could be compromised. The vulnerability enables attackers to execute arbitrary scripts in the context of the central site's web interface.

💻 Affected Systems

Products:

Checkmk

Versions: Checkmk before 2.4.0p14, 2.3.0p39, 2.2.0 and 2.1.0 (end of life)

Operating Systems: All platforms running Checkmk

Default Config Vulnerable: ⚠️ Yes

Notes: Requires distributed monitoring configuration with remote sites that could be compromised. Standalone installations without remote sites are not affected.

📦 What is this software?

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the central Checkmk instance through session hijacking, credential theft, or administrative actions performed by authenticated users viewing malicious service outputs.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the monitoring interface when users view service outputs from compromised remote sites.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place, potentially only affecting display of service outputs without script execution.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires compromising a remote monitoring site first, then the XSS payload executes when central site users view service outputs from that remote site.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.0p14, 2.3.0p39, or later versions

Vendor Advisory: https://checkmk.com/werk/17998

Restart Required: Yes

Instructions:

1. Backup your Checkmk configuration. 2. Update to Checkmk 2.4.0p14 or 2.3.0p39 using your distribution's package manager. 3. Restart Checkmk services: 'omd restart' or systemctl restart checkmk services. 4. Verify the update with 'omd version'.

🔧 Temporary Workarounds

Disable HTML in service outputs

linux

Configure Checkmk to strip or escape HTML from service outputs in distributed monitoring

Edit /omd/sites/[site]/etc/checkmk/multisite.d/wato/global.mk and add: 'escape_html_in_service_outputs = True'

Restrict remote site permissions

linux

Limit what remote sites can send to the central site through configuration changes

Edit remote site configuration to restrict service output permissions in distributed_wato.mk

🧯 If You Can't Patch

Isolate compromised remote sites immediately and audit all remote site integrity
Implement web application firewall (WAF) rules to block XSS payloads in service outputs

🔍 How to Verify

Check if Vulnerable:

Check Checkmk version: 'omd version' or check package version. If version is before 2.4.0p14 or 2.3.0p39 and using distributed monitoring, you are vulnerable.

Check Version:

omd version

Verify Fix Applied:

Verify version is 2.4.0p14 or 2.3.0p39 or later with 'omd version'. Test that HTML in service outputs from remote sites is properly escaped.

📡 Detection & Monitoring

Log Indicators:

Unusual HTML/JavaScript patterns in service output logs
Multiple failed attempts to inject scripts in service outputs
Unexpected changes to service output formatting

Network Indicators:

Malformed service output data containing script tags from remote sites
Unexpected HTML entities in monitoring data streams

SIEM Query:

source="checkmk.log" AND ("<script" OR "javascript:" OR "onerror=" OR "onload=") AND "service_output"

📊 Metadata

CVE ID: CVE-2025-39663

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-80

EPSS Score: 0.07% exploit probability (20th percentile)

Published: October 30, 2025

Last Updated: December 3, 2025

🔗 References

https://checkmk.com/werk/17998 Vendor Advisory
https://github.com/sbaresearch/advisories/tree/82fd27e4570433464c30b35150b197db9a850f4e/2025/SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting Exploit,Third Party Advisory
http://seclists.org/fulldisclosure/2025/Nov/0 Exploit,Mailing List,Third Party Advisory
https://github.com/sbaresearch/advisories/tree/82fd27e4570433464c30b35150b197db9a850f4e/2025/SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting Exploit,Third Party Advisory