CVE-2025-39664 is a path traversal vulnerability classified under CWE-22 found in the report scheduler component of Checkmk, a popular IT monitoring and reporting platform developed by Checkmk GmbH. The vulnerability exists due to insufficient escaping of user-supplied input that defines the storage location of report file pairs. Authenticated attackers with low privileges can exploit this flaw to specify arbitrary file paths outside the intended root directory, thereby writing or overwriting files on the host system. This can lead to unauthorized modification of critical files, potential privilege escalation, or disruption of monitoring services. The affected versions include Checkmk releases prior to 2.4.0p13, 2.3.0p38, 2.2.0p46, and the end-of-life 2.1.0 version. The CVSS 4.0 base score is 7.1, reflecting network attack vector, low attack complexity, no user interaction, and partial impact on confidentiality and integrity with high impact on availability. No public exploits are known at this time, but the vulnerability poses a significant risk due to the ability to write arbitrary files. The flaw is particularly concerning in environments where Checkmk is used to monitor critical infrastructure or sensitive enterprise systems, as attackers could disrupt monitoring or implant malicious files. The vulnerability was reserved in April 2025 and published in October 2025, with no patch links currently provided, indicating that organizations should monitor vendor updates closely.

For European organizations, this vulnerability could have serious consequences. Checkmk is widely used in enterprise and critical infrastructure sectors for monitoring IT environments, including servers, networks, and applications. Exploitation could allow attackers to overwrite configuration files, implant malicious scripts, or disrupt monitoring reports, leading to loss of visibility into system health and potential cascading failures. This undermines operational integrity and could facilitate further attacks such as lateral movement or data exfiltration. The ability to write files outside the intended directory also risks compromising system confidentiality and integrity. Organizations in sectors such as finance, energy, telecommunications, and government are particularly vulnerable due to their reliance on continuous monitoring and reporting. The lack of known exploits provides a window for proactive mitigation, but the high severity score and ease of exploitation necessitate urgent attention to prevent potential incidents.

1. Upgrade Checkmk to the latest patched versions as soon as they become available, specifically versions 2.4.0p13, 2.3.0p38, or 2.2.0p46 or later. 2. Until patches are applied, restrict access to the report scheduler functionality to trusted and minimal user groups to reduce the risk of exploitation. 3. Implement strict input validation and sanitization on any user-supplied paths related to report generation, if customization is possible. 4. Monitor file system changes in directories used by Checkmk for report storage to detect unauthorized file creation or modification. 5. Employ application-level logging and alerting to track unusual report scheduler activities or access patterns. 6. Conduct regular audits of Checkmk configurations and user permissions to ensure least privilege principles are enforced. 7. Consider network segmentation and firewall rules to limit exposure of Checkmk interfaces to only necessary internal systems. 8. Stay informed via Checkmk security advisories and CVE databases for updates or exploit disclosures.