CVE-2025-39664 is a path traversal vulnerability classified under CWE-22 affecting the Checkmk monitoring software developed by Checkmk GmbH. The flaw exists in the report scheduler component of Checkmk versions prior to 2.4.0p13, 2.3.0p38, 2.2.0p46, and the end-of-life 2.1.0 version. The vulnerability arises from insufficient escaping and validation of pathname inputs when defining the storage location for report file pairs. Authenticated attackers with low privileges can exploit this by specifying file paths that traverse outside the intended root directory, allowing them to write or overwrite files arbitrarily on the file system where Checkmk runs. This can lead to unauthorized file creation, potential overwriting of critical files, and disruption of system integrity and availability. The vulnerability does not require user interaction and can be exploited remotely over the network. Although no public exploits are currently known, the vulnerability’s CVSS 4.0 score of 7.1 indicates a high risk due to the ease of exploitation and significant impact on integrity and availability. The flaw affects multiple major versions of Checkmk, a widely used IT infrastructure monitoring tool, making it a critical concern for organizations relying on this software for operational monitoring and reporting.

For European organizations, exploitation of CVE-2025-39664 can lead to unauthorized modification or creation of files outside the designated report directories, potentially compromising the integrity of monitoring data and reports. This could disrupt IT operations by corrupting monitoring outputs or overwriting configuration files, leading to degraded visibility into infrastructure health or triggering false alerts. Attackers might leverage this to implant malicious files or scripts, facilitating further lateral movement or persistence within the network. Given Checkmk’s role in critical infrastructure monitoring, such disruptions can impact availability and operational continuity. Organizations in sectors with stringent compliance requirements (e.g., finance, healthcare, energy) may face regulatory risks if monitoring data integrity is compromised. The vulnerability’s exploitation requires authentication but only low privileges, increasing the risk from insider threats or compromised user accounts. The lack of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur.

European organizations should immediately upgrade Checkmk to versions 2.4.0p13, 2.3.0p38, or 2.2.0p46 or later, where this vulnerability is fixed. If upgrading is not immediately feasible, restrict access to the report scheduler functionality to trusted administrators only and enforce strict authentication controls. Implement file system monitoring and integrity checking on directories used by Checkmk to detect unauthorized file creations or modifications. Employ application-level input validation and escaping where possible to prevent path traversal attempts. Regularly audit user privileges within Checkmk to minimize the number of accounts with report scheduling permissions. Network segmentation and limiting access to the Checkmk server can reduce exposure. Finally, maintain up-to-date backups of configuration and report data to enable recovery in case of file tampering.