CVE-2025-64997

Q: What is the severity of CVE-2025-64997?

CVE-2025-64997 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows low-privileged users in Checkmk monitoring systems to access agent information through the REST API without proper authorization. It affects Checkmk versions before 2.4.0p17 and 2.3.0p42, potentially exposing sensitive monitoring data to unauthorized users.

6.5 MEDIUM

Authentication Bypass

📋 TL;DR

This vulnerability allows low-privileged users in Checkmk monitoring systems to access agent information through the REST API without proper authorization. It affects Checkmk versions before 2.4.0p17 and 2.3.0p42, potentially exposing sensitive monitoring data to unauthorized users.

💻 Affected Systems

Products:

Checkmk

Versions: All versions before 2.4.0p17 and 2.3.0p42

Operating Systems: All platforms running Checkmk

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Checkmk installations with low-privileged user accounts and REST API access enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map the entire monitoring infrastructure, identify vulnerable systems, and use agent information to launch targeted attacks against monitored endpoints.

🟠

Likely Case

Unauthorized users within the organization access monitoring data they shouldn't see, potentially learning about system configurations, network topology, or sensitive application information.

🟢

If Mitigated

With proper network segmentation and access controls, the impact is limited to information disclosure within the monitoring system itself.

🌐 Internet-Facing: MEDIUM - If the REST API is exposed to the internet, attackers could potentially enumerate internal systems, though authentication would still be required.

🏢 Internal Only: HIGH - In internal networks, low-privileged users or compromised accounts could access sensitive monitoring information about other systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid low-privileged user credentials and access to the REST API endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.0p17 or 2.3.0p42

Vendor Advisory: https://checkmk.com/werk/18681

Restart Required: Yes

Instructions:

1. Backup your Checkmk configuration. 2. Update to Checkmk 2.4.0p17 (for 2.4.x branch) or 2.3.0p42 (for 2.3.x branch). 3. Restart Checkmk services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict REST API Access

all

Limit access to the REST API endpoint to only authorized users or networks

Configure firewall rules to restrict access to Checkmk API port (typically 5000/tcp)
Use web server configuration to restrict API endpoint access

Review User Permissions

linux

Audit and reduce low-privileged user accounts with REST API access

omd su <site> cmk -U list
Review and modify user permissions in Checkmk GUI

🧯 If You Can't Patch

Implement strict network segmentation to isolate Checkmk API from untrusted networks
Enable detailed audit logging for all REST API access and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Checkmk version: omd version or check_mk --version. If version is below 2.4.0p17 (for 2.4.x) or 2.3.0p42 (for 2.3.x), system is vulnerable.

Check Version:

omd version

Verify Fix Applied:

After patching, verify version shows 2.4.0p17 or higher (for 2.4.x) or 2.3.0p42 or higher (for 2.3.x). Test with low-privileged user that agent information is no longer accessible via REST API.

📡 Detection & Monitoring

Log Indicators:

Unusual REST API access patterns from low-privileged users
Multiple requests to agent information endpoints from non-admin accounts

Network Indicators:

Increased traffic to /api endpoints from unexpected sources
Pattern of enumeration requests to agent-related API endpoints

SIEM Query:

source="checkmk.log" AND ("GET /api/" OR "POST /api/") AND user!="admin" AND ("agent" OR "host")

📊 Metadata

CVE ID: CVE-2025-64997

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-280

EPSS Score: 0.04% exploit probability (11.2th percentile)

Published: December 18, 2025

Last Updated: December 23, 2025

🔗 References

https://checkmk.com/werk/18681 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status