CVE-2025-39664

Summary

Insufficient escaping in the report scheduler within Checkmk <2.4.0p13, <2.3.0p38, <2.2.0p46 and 2.1.0 (EOL) allows authenticated attackers to define the storage location of report file pairs beyond their intended root directory.

Affected Software

VendorProductVersion RangeStatus
Checkmk GmbHCheckmk2.4.0 < 2.4.0p13affected
Checkmk GmbHCheckmk2.3.0 < 2.3.0p38affected
Checkmk GmbHCheckmk2.2.0 < 2.2.0p46affected
Checkmk GmbHCheckmk2.1.0affected

Weaknesses

  • CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References