CVE-2025-64999 is a high-severity cross-site scripting (XSS) vulnerability in Checkmk versions 2. 4. 0 before 2. 4. 0p22 and 2. 3. 0 before 2. 3. 0p43. It arises from improper neutralization of input in Synthetic Monitoring HTML logs, allowing attackers who can manipulate a host's check output to inject malicious JavaScript.

CVE-2025-64999 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting Checkmk, a monitoring software developed by Checkmk GmbH. The flaw exists in versions 2.4.0 prior to patch 2.4.0p22 and 2.3.0 prior to patch 2.3.0p43. The vulnerability stems from improper neutralization of user-controllable input during the generation of Synthetic Monitoring HTML logs. Specifically, an attacker with the ability to manipulate a host's check output can inject malicious JavaScript code into these logs. When a user accesses the compromised logs via a crafted phishing link, the injected script executes in the context of the victim's browser, potentially allowing session hijacking, credential theft, or further exploitation within the Checkmk web interface. The CVSS 4.0 base score is 7.3, reflecting network attack vector, low attack complexity, partial privileges required, user interaction needed, and high impact on confidentiality, integrity, and availability. Although no known exploits have been observed in the wild, the vulnerability poses a significant risk due to the widespread use of Checkmk in IT infrastructure monitoring. The vulnerability does not require elevated privileges to exploit but does require the attacker to influence host check outputs and the victim to click a malicious link. This scenario highlights the importance of securing input sources and user awareness against phishing attacks. No official patches were linked in the provided data, but updates to versions 2.4.0p22 and 2.3.0p43 or later are implied to remediate the issue.

CVE Database V5

Detailed information about CVE-2025-64999: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Checkmk GmbH Checkmk 

CVE-2025-64999: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Checkmk GmbH Checkmk - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-64999: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Checkmk GmbH Checkmk

Operation Zero is a Russian exploit broker operation sanctioned by the US government after acquiring eight zero-day exploits from a jailed US defense contractor executive. These zero-days represent previously unknown vulnerabilities that could be weaponized for cyberattacks. Although no known exploits are currently observed in the wild, the potential for future exploitation remains significant. The broker's access to multiple zero-days increases the risk of targeted attacks against critical infrastructure and government entities. This threat highlights insider risks and the illicit trade of advanced cyber capabilities. Organizations should be vigilant for suspicious activity and prioritize threat intelligence sharing. The medium severity reflects the current absence of active exploitation but acknowledges the high potential impact if weaponized. Countries with strategic interests in US-Russia relations and high technology adoption are most at risk. Immediate mitigation involves enhancing monitoring, patch management, and insider threat detection. Defenders must prepare for possible future exploitation campaigns leveraging these zero-days.

Operation Zero is a cyber threat actor identified as a Russian exploit broker that recently came under US sanctions after acquiring eight zero-day vulnerabilities from a US defense contractor executive who was imprisoned for his involvement. Zero-day exploits are vulnerabilities unknown to the vendor and unpatched, making them highly valuable for offensive cyber operations. The broker's acquisition of multiple zero-days from an insider source within a US defense contractor underscores the significant insider threat and the risks posed by the illicit cyber exploit market. While there are no confirmed reports of these zero-days being exploited in the wild yet, the possession of such exploits enables the broker to potentially sell or deploy them in targeted cyberattacks against high-value targets such as government agencies, critical infrastructure, defense contractors, and private sector organizations. The lack of detailed information on the affected software or hardware versions limits precise technical mitigation but emphasizes the need for heightened vigilance. The operation exemplifies the intersection of geopolitical tensions and cyber espionage, with Russia leveraging stolen US-origin exploits to enhance its cyber capabilities. The medium severity rating reflects the current non-exploitation status but acknowledges the high risk due to the nature of zero-day vulnerabilities and the strategic value of the stolen exploits.

SecurityWeek

Detailed information about US Sanctions Russian Exploit Broker Operation Zero. Get real-time updates, technical details, and mitigation strategies.

US Sanctions Russian Exploit Broker Operation Zero - Live Threat Intelligence - Threat Radar | OffSeq.com

Original Source

US Sanctions Russian Exploit Broker Operation Zero

Trend Micro has released patches addressing eight critical and high-severity vulnerabilities in its Apex One endpoint security products for Windows and macOS. These vulnerabilities could potentially allow attackers to compromise endpoint systems, impacting confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the critical severity indicates a significant risk if left unpatched. Organizations using Apex One on Windows and macOS should prioritize applying these patches promptly to mitigate potential attacks. The threat primarily affects environments where Trend Micro Apex One is deployed, which includes enterprises globally. Due to the critical nature and the broad deployment of these endpoint products, the risk spans multiple sectors and regions. Immediate remediation is essential to prevent exploitation that could lead to unauthorized access or disruption of endpoint security functions.

Trend Micro has addressed eight vulnerabilities classified as critical and high severity within its Apex One endpoint security solutions for Windows and macOS platforms. Apex One is widely used in enterprise environments to provide endpoint protection, including malware detection and response capabilities. The vulnerabilities, while not detailed in the provided information, are significant enough to warrant a critical severity rating, suggesting potential for remote code execution, privilege escalation, or bypass of security controls. These flaws could allow attackers to execute arbitrary code, escalate privileges, or disable security features, thereby compromising endpoint integrity and confidentiality. The lack of known exploits in the wild indicates these vulnerabilities were likely discovered through internal research or responsible disclosure. However, the critical nature demands urgent patching to prevent future exploitation. The absence of CVSS scores limits precise risk quantification, but the critical tag implies high impact and ease of exploitation. The vulnerabilities affect both Windows and macOS versions of Apex One, highlighting a cross-platform risk vector. Trend Micro's patch release is a proactive measure to secure endpoints against potential attacks leveraging these flaws.

Detailed information about Trend Micro Patches Critical Apex One Vulnerabilities. Get real-time updates, technical details, and mitigation strategies.

Trend Micro Patches Critical Apex One Vulnerabilities - Live Threat Intelligence - Threat Radar | OffSeq.com

Trend Micro Patches Critical Apex One Vulnerabilities

The provided information pertains to a Maltrail Indicator of Compromise (IOC) dated February 26, 2026, sourced from the CIRCL OSINT Feed. Maltrail is a network traffic detection system designed to identify suspicious or malicious network activity by analyzing traffic patterns and known malicious indicators. This IOC is classified as malware-related but lacks specific details such as affected software versions, malware family, or attack vectors. The entry does not list any known exploits in the wild or available patches, indicating that it is primarily an observational data point rather than a report of an active or newly discovered vulnerability. The IOC is tagged with 'medium' severity, reflecting a moderate risk level based on the observed network activity. The technical details are minimal, with no concrete indicators of compromise (such as IP addresses, domains, or file hashes) provided, limiting the ability to perform targeted detection or response. The classification under OSINT and network activity suggests that this IOC is derived from manual collection and external analysis of network traffic patterns, potentially highlighting emerging or ongoing malware campaigns. The absence of CWE identifiers and patch information further supports that this is a threat intelligence observation rather than a software vulnerability. Organizations utilizing network monitoring tools like Maltrail can use this IOC to enhance their detection capabilities by correlating it with internal network data to identify potential malware infections or communications. However, without specific indicators, the IOC serves more as a contextual alert to maintain heightened vigilance against malware-related network anomalies.

CIRCL OSINT Feed

Detailed information about Maltrail IOC for 2026-02-26. Get real-time updates, technical details, and mitigation strategies.

Maltrail IOC for 2026-02-26 - Live Threat Intelligence - Threat Radar | OffSeq.com

Maltrail IOC for 2026-02-26

The KRVTZ-NET IDS alerts dated 2026-02-26 highlight network reconnaissance activity targeting Fortinet FortiGate VPN devices. The alerts specifically identify repeated GET requests to the /remote/logincheck endpoint, which is associated with CVE-2023-27997, a known vulnerability in FortiGate VPNs that could allow unauthorized access or exploitation if successfully leveraged. The indicators include IPv6 addresses (2001:470:1:c84::19 and 2001:470:1:fb5:4709:6cd5:858c:48d) and an IPv4 address (185.177.72.60) exhibiting suspicious user-agent strings mimicking legitimate browsers but with anomalous versioning, suggesting automated scanning or probing tools. The activity is categorized as reconnaissance in the kill chain, indicating attackers are gathering information to identify vulnerable targets. No patches are currently linked in this report, and no known exploits in the wild have been confirmed, suggesting this is early-stage probing rather than active exploitation. The low severity rating reflects the preliminary nature of the threat, but the presence of these scans indicates persistent interest in FortiGate VPN vulnerabilities by threat actors. The CIRCL OSINT feed provides this data as part of ongoing monitoring of network activity and threat intelligence gathering.

ET EXPLOIT Fortigate VPN - Repeated GET Requests to /remote/logincheck (CVE-2023-27997)

ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)

Detailed information about KRVTZ-NET IDS alerts for 2026-02-26. Get real-time updates, technical details, and mitigation strategies.

KRVTZ-NET IDS alerts for 2026-02-26 - Live Threat Intelligence - Threat Radar | OffSeq.com

KRVTZ-NET IDS alerts for 2026-02-26

D-Link DIR-605L v2.13B01 was discovered to contain a hardcoded password vulnerability in /etc/passwd, which allows attackers to log in as root.

Detailed information about CVE-2024-37630: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2024-37630: n/a

CVE-2024-37630: n/a

Description

Technical Details

Community Reviews

Related Threats

CVE-2025-64999: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Checkmk GmbH Checkmk

CVE-2026-28138: Deserialization of Untrusted Data in Stylemix uListing

CVE-2026-28136: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in VeronaLabs WP SMS

CVE-2026-28132: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in villatheme WooCommerce Photo Reviews

CVE-2026-28131: Insertion of Sensitive Information Into Sent Data in WPVibes Elementor Addon Elements

Actions

External Links

Need more coverage?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility