CVE-2025-64998
published 2026-03-24CVE-2025-64998: Exposure of session signing secret in Checkmk <2.4.0p23, <2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack…
PriorityP340high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.33%
25.3th percentile
Exposure of session signing secret in Checkmk <2.4.0p23, <2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| checkmk | checkmk | — | — |
| checkmk | checkmk | — | — |
| checkmk | checkmk | — | — |
| checkmk_gmbh | checkmk | — | — |
| checkmk_gmbh | checkmk | >= 2.3.0 < 2.3.0p45 | 2.3.0p45 |
| checkmk_gmbh | checkmk | >= 2.4.0 < 2.4.0p23 | 2.4.0p23 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.3HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-64998: Exposure of session signing secret in Checkmk <2
osv·2026-03-24·CVSS 7.3
CVE-2025-64998 [HIGH] CVE-2025-64998: Exposure of session signing secret in Checkmk <2
Exposure of session signing secret in Checkmk <2.4.0p23, <2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies.
GHSA
GHSA-6642-x6x4-g343: Exposure of session signing secret in Checkmk <2
ghsa_unreviewed·2026-03-24
CVE-2025-64998 [HIGH] CWE-522 GHSA-6642-x6x4-g343: Exposure of session signing secret in Checkmk <2
Exposure of session signing secret in Checkmk <2.4.0p23, <2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-03-24
Published