CVE-2025-64998

UNKNOWN 0.0

Session hijacking via exposed session signing secret in distributed Checkmk setups

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

10th

Exposure of session signing secret in Checkmk <2.4.0p23, <2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies.

CWE	CWE-522
Vendor	checkmk gmbh
Product	checkmk
Published	Mar 24, 2026
Last Updated	Mar 25, 2026

Stay Ahead of the Next One

Get instant alerts for checkmk gmbh checkmk

Be the first to know when new unknown vulnerabilities affecting checkmk gmbh checkmk are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Checkmk GmbH / Checkmk

2.4.0 < 2.4.0p23 2.3.0 < 2.3.0p45 2.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

checkmk.com: https://checkmk.com/werk/18954

Credits

🔍 Lisa Gnedt (SBA Research)