CVE-2025-65000
📋 TL;DR
This vulnerability exposes SSH private keys in the HTML source of Checkmk's remote alert handler rule pages. Attackers who can access these pages could trigger unauthorized alert handlers on monitored systems. Affects Checkmk versions 2.3.0 (all versions) and 2.4.0 up to p18.
💻 Affected Systems
- Checkmk
📦 What is this software?
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized execution of alert handlers leading to arbitrary command execution on monitored hosts, potentially compromising critical infrastructure.
Likely Case
Unauthorized triggering of alert handlers causing service disruptions, false alerts, or limited command execution depending on handler configuration.
If Mitigated
Limited impact if alert handlers have minimal privileges and network access is restricted.
🎯 Exploit Status
Exploitation requires authenticated access to Checkmk web interface and viewing HTML source of affected rule pages.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Checkmk 2.4.0p19 or later
Vendor Advisory: https://checkmk.com/werk/19030
Restart Required: No
Instructions:
1. Update Checkmk to version 2.4.0p19 or later. 2. For Checkmk 2.3.0, upgrade to 2.4.0p19 or later as no patch exists for 2.3.0. 3. Apply update via 'omd update' command.
🔧 Temporary Workarounds
Disable Remote Alert Handlers
linuxTemporarily disable or remove SSH-based remote alert handlers until patched.
Navigate to Setup > Alert handlers > Remove or disable affected handlers
Restrict Web Interface Access
allLimit access to Checkmk web interface to trusted users only.
Configure firewall rules and authentication controls
🧯 If You Can't Patch
- Remove SSH private keys from alert handler configurations and use alternative authentication methods.
- Implement strict access controls and monitoring for Checkmk web interface access.
🔍 How to Verify
Check if Vulnerable:
Check Checkmk version via 'omd version' command. If version is 2.3.0 or 2.4.0 <= p18, inspect HTML source of remote alert handler rule pages for exposed SSH keys.Check Version:
omd versionVerify Fix Applied:
After updating to 2.4.0p19+, verify SSH keys are no longer visible in HTML source of alert handler pages.📡 Detection & Monitoring
Log Indicators:
- Unexpected alert handler executions
- Unauthorized access to Checkmk web interface
Network Indicators:
- Unusual SSH connections from Checkmk server to monitored hosts
SIEM Query:
source="checkmk" AND (event="alert_handler_execution" OR event="web_access")