LiveActive security incident?Get immediate response
CVE Record

CVE-2021-40906: CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service paramet...

CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts) or to steal the session cookies of a user who has previously authenticated via a man in the middle. Successful exploitation requires access to the web service resource without authentication.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2021-40906 is a reflected XSS in CheckMK Raw Edition, described for versions 1.5.0 to 1.6.0. An unauthenticated web service parameter may reflect unsanitized input into a user's browser, potentially exposing authenticated users to session theft or browser-side actions.

Executive priority

Treat this as a targeted web application exposure to verify promptly, not a confirmed emergency. Prioritize systems reachable from the internet or used by privileged monitoring administrators.

Technical view

The CVE describes insufficient input sanitization in an unauthenticated web service parameter, allowing reflected client-side script execution. Successful abuse requires access to the unauthenticated web service resource and a browser context. The bundle provides no CVSS vector, CWE, patch version, or vendor advisory details.

Likely exposure

Organizations running CheckMK Raw Edition 1.5.0 through 1.6.0 may be exposed if the affected web service resource is reachable without authentication, especially from untrusted networks.

Exploitation context

The CVE is not listed as KEV in the bundle. A public GitHub reference exists, but the provided evidence does not establish active exploitation. Abuse appears to require unauthenticated resource access and user interaction or interception context.

Researcher notes

The public record lacks CVSS, CWE, detailed affected CPEs, and vendor remediation data. Do not assume affected versions beyond the description. The GitHub reference may contain technical detail, but the bundle alone does not prove exploitation in the wild.

Mitigation direction

  • Inventory CheckMK Raw Edition deployments and versions.
  • Restrict unauthenticated access to CheckMK web service resources.
  • Check official CheckMK vendor guidance for fixed versions or workarounds.
  • Harden session cookie settings and browser-side security headers where supported.
  • Monitor logs for suspicious requests to unauthenticated CheckMK web endpoints.

Validation and detection

  • Confirm whether CheckMK Raw Edition 1.5.0 to 1.6.0 is deployed.
  • Identify externally reachable CheckMK web service resources.
  • Review access controls around unauthenticated service endpoints.
  • Check vendor release notes or advisories for remediation status.
  • Assess whether authenticated users access CheckMK over untrusted networks.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2021-40906 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
2Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.