CVE-2021-40906: CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service paramet...
CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts) or to steal the session cookies of a user who has previously authenticated via a man in the middle. Successful exploitation requires access to the web service resource without authentication.
Security readout for executives and security teams
Plain-English summary
CVE-2021-40906 is a reflected XSS in CheckMK Raw Edition, described for versions 1.5.0 to 1.6.0. An unauthenticated web service parameter may reflect unsanitized input into a user's browser, potentially exposing authenticated users to session theft or browser-side actions.
Executive priority
Treat this as a targeted web application exposure to verify promptly, not a confirmed emergency. Prioritize systems reachable from the internet or used by privileged monitoring administrators.
Technical view
The CVE describes insufficient input sanitization in an unauthenticated web service parameter, allowing reflected client-side script execution. Successful abuse requires access to the unauthenticated web service resource and a browser context. The bundle provides no CVSS vector, CWE, patch version, or vendor advisory details.
Likely exposure
Organizations running CheckMK Raw Edition 1.5.0 through 1.6.0 may be exposed if the affected web service resource is reachable without authentication, especially from untrusted networks.
Exploitation context
The CVE is not listed as KEV in the bundle. A public GitHub reference exists, but the provided evidence does not establish active exploitation. Abuse appears to require unauthenticated resource access and user interaction or interception context.
Researcher notes
The public record lacks CVSS, CWE, detailed affected CPEs, and vendor remediation data. Do not assume affected versions beyond the description. The GitHub reference may contain technical detail, but the bundle alone does not prove exploitation in the wild.
Mitigation direction
Inventory CheckMK Raw Edition deployments and versions.
Restrict unauthenticated access to CheckMK web service resources.
Check official CheckMK vendor guidance for fixed versions or workarounds.
Harden session cookie settings and browser-side security headers where supported.
Monitor logs for suspicious requests to unauthenticated CheckMK web endpoints.
Validation and detection
Confirm whether CheckMK Raw Edition 1.5.0 to 1.6.0 is deployed.
Identify externally reachable CheckMK web service resources.
Review access controls around unauthenticated service endpoints.
Check vendor release notes or advisories for remediation status.
Assess whether authenticated users access CheckMK over untrusted networks.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-40906 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
2Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Mar 25, 2022, 22:20 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.