CVE-2025-32918

Summary

Improper neutralization of Livestatus command delimiters in autocomplete endpoint within the RestAPI of Checkmk versions <2.4.0p6, <2.3.0p35, <2.2.0p44, and 2.1.0 (EOL) allows an authenticated user to inject arbitrary Livestatus commands.

Affected Software

VendorProductVersion RangeStatus
Checkmk GmbHCheckmk2.4.0 < 2.4.0p6affected
Checkmk GmbHCheckmk2.3.0 < 2.3.0p35affected
Checkmk GmbHCheckmk2.2.0 < 2.2.0p44affected
Checkmk GmbHCheckmk2.1.0affected

Weaknesses

  • CWE-140: CWE-140: Improper Neutralization of Delimiters

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References