CVE-2025-64998 is a vulnerability classified under CWE-522 (Insufficiently Protected Credentials) affecting Checkmk, a widely used IT infrastructure monitoring solution by Checkmk GmbH. The flaw exists in versions prior to 2.4.0p23, 2.3.0p45, and 2.2.0, where the session signing secret used to secure session cookies is exposed to administrators of remote sites that have configuration synchronization enabled. This exposure allows these remote site administrators to forge session cookies, effectively hijacking sessions on the central Checkmk site. The vulnerability arises because the secret used to sign session cookies is not adequately protected, enabling an attacker with legitimate high-level access on a remote site to impersonate users or administrators on the central site. The CVSS 4.0 score of 7.3 reflects a high severity, considering the network attack vector, low attack complexity, required privileges at a high level, and partial user interaction. The impact covers confidentiality, integrity, and availability of the central site’s session management, potentially allowing unauthorized access and control. No public exploits have been reported yet, but the vulnerability poses a significant risk in environments where multiple Checkmk sites are synchronized. The flaw highlights the importance of secure credential management and isolation between distributed monitoring sites.

The vulnerability enables an attacker with administrative privileges on a remote Checkmk site to hijack sessions on the central site, potentially gaining unauthorized access to sensitive monitoring data and administrative functions. This can lead to unauthorized disclosure of confidential infrastructure information, manipulation or disruption of monitoring data, and possible denial of service through session takeover. Organizations relying on Checkmk for critical infrastructure monitoring and management could face operational disruptions, loss of trust in monitoring data integrity, and increased risk of further lateral movement within their networks. The attack requires high privileges on a remote site, which limits the scope but does not eliminate risk, especially in large distributed environments. The exposure of session signing secrets undermines the fundamental security of session management, increasing the likelihood of persistent unauthorized access if exploited.

1. Immediately upgrade Checkmk installations to versions 2.4.0p23, 2.3.0p45, or 2.2.0 or later where the vulnerability is patched. 2. Restrict and audit administrative privileges on remote sites, especially those with config sync enabled, to minimize the risk of insider threats or compromised accounts. 3. Implement strict network segmentation and access controls between remote and central Checkmk sites to reduce the attack surface. 4. Regularly rotate session signing secrets and enforce strong cryptographic protections to prevent exposure. 5. Monitor logs for unusual session creation or cookie usage patterns indicative of session forgery attempts. 6. Consider disabling config sync if not required or use alternative secure synchronization methods. 7. Conduct security awareness training for administrators managing distributed Checkmk environments to recognize and prevent misuse of privileges.