back to website

Werk #19030: Remote alert handlers (Linux) exposes SSH keys in rule page

Component Setup
Title Remote alert handlers (Linux) exposes SSH keys in rule page
Date Nov 28, 2025
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.5.0b1
Not yet released 		Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.4.0p18 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

The "Remote alert handlers (Linux)" previously exposed SSH private keys in the HTML source of the rule page. Knowledge of the private key would allow them to trigger the configured alert handlers on affected hosts. Since the specific alert handlers that can be run with the key are strictly defined in the authorized_keys file, no further access beyond this would be possible. The issue is now fixed.

This vulnerability was found during internal review.

Who's Affected:

All configurations using the Remote alert handlers (Linux) rule in all editions are affected.

Affected Versions:

  • 2.4.0
  • 2.3.0
  • 2.2.0 (EOL)

Mitigations:

If updating is not possible, consider deactivating the rule and roll-out affected agents. Validate the alert handler key is no longer present in the host's authorized_keys file.

Vulnerability Management:

We have rated the issue with a CVSS Score of 2.3 Low (CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:L) and assigned CVE-2025-65000.

To the list of all Werks

The Checkmk logo (formerly known as Check_MK) is a trademark of Checkmk GmbH. ©2025 Checkmk GmbH. All rights reserved.

Join our Checkmk Conference #12 – the hybrid Monitoring Community event in Munich, on June 16-18 – to explore new Checkmk features, best practices, and our roadmap.

Register now