CVE-2025-58122
published 2025-11-18CVE-2025-58122: Insufficient permission validation in Checkmk 2.4.0 before version 2.4.0p16 allows low-privileged users to modify notification parameters via the REST API…
PriorityP429medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.14%
4.0th percentile
Insufficient permission validation in Checkmk 2.4.0 before version 2.4.0p16 allows low-privileged users to modify notification parameters via the REST API, which could lead to unauthorized actions or information disclosure.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| checkmk | checkmk | — | — |
| checkmk_gmbh | checkmk | >= 2.4.0 < 2.4.0p16 | 2.4.0p16 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2hf3-jphf-r8cc: Insufficient permission validation in Checkmk 2
ghsa_unreviewed·2025-11-18
CVE-2025-58122 [MEDIUM] CWE-280 GHSA-2hf3-jphf-r8cc: Insufficient permission validation in Checkmk 2
Insufficient permission validation in Checkmk 2.4.0 before version 2.4.0p16 allows low-privileged users to modify notification parameters via the REST API, which could lead to unauthorized actions or information disclosure.
OSV
CVE-2025-58122: Insufficient permission validation in Checkmk 2
osv·2025-11-18·CVSS 5.3
CVE-2025-58122 [MEDIUM] CVE-2025-58122: Insufficient permission validation in Checkmk 2
Insufficient permission validation in Checkmk 2.4.0 before version 2.4.0p16 allows low-privileged users to modify notification parameters via the REST API, which could lead to unauthorized actions or information disclosure.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-18
Published