Critical cross-site scripting flaw reported in Checkmk Monitoring Software

Checkmk has patched a critical security vulnerability in its network monitoring software that could allow attackers to execute malicious code and compromise entire monitoring infrastructures. 

The flaw is tracked as CVE-2025-39663 (CVSS score 9.1), a Stored Cross-Site Scripting vulnerability. The vulnerability affects Checkmk deployments configured with distributed monitoring architecture. In these configurations, any connected remote monitoring site can inject malicious JavaScript code into the user interface of the central monitoring site. When Checkmk operates in a distributed monitoring setup, attackers who have compromised or control a connected remote site can exploit this flaw by viewing the status of hosts or services from that remote site, and injecting their malicious scripts into the central site's interface.

If malicious actors successfully compromise an admin session through this cross-site scripting attack, they can achieve remote code execution (RCE) on the central monitoring site. 

Affected versions

• Checkmk versions before 2.4.0p14
• Checkmk versions before 2.3.0p39
• Checkmk versions 2.2.0 (all versions)
• Checkmk versions 2.1.0 (end-of-life)

Checkmk has released patches that address this critical vulnerability in versions 2.4.0p14 and 2.3.0p39. The developers strongly recommend that administrators update to these patched versions as soon as possible. There is a public Proof-of-Concept exploit, which significantly lowers the barrier for attackers to exploit vulnerable systems. Organizations that cannot upgrade should disable the "Trust this site completely" option for all remote monitoring sites in their distributed Checkmk configurations.