CVE-2024-47091: Privilege Escalation in Checkmk Agent
Plattform
windows
Komponente
checkmk
Behoben in
2.4.0p29
CVE-2024-47091 describes a privilege escalation vulnerability affecting Checkmk Agent versions 2.4.0 through 2.4.0p29, and earlier 2.3.0 and 2.2.0 versions. An attacker with the ability to create a Windows service named 'MySQL' or 'MariaDB' (or write access to a referenced binary) can leverage this flaw to execute arbitrary code with SYSTEM privileges. The vulnerability is present in the mk_mysql agent plugin on Windows systems and has been resolved in version 2.4.0p29.
Auswirkungen und Angriffsszenarien
This vulnerability poses a significant risk because it allows a local, unprivileged user to gain SYSTEM-level access to the affected Checkmk Agent. Successful exploitation grants the attacker complete control over the system, enabling them to install malware, steal sensitive data, modify system configurations, and potentially pivot to other systems on the network. The ability to create a service with a specific name makes exploitation relatively straightforward, particularly in environments where service creation permissions are not tightly controlled. The SYSTEM context provides the highest level of privileges on the Windows system, maximizing the potential impact of a successful attack. This is comparable to other local privilege escalation vulnerabilities where an attacker can leverage misconfigured service accounts.
Ausnutzungskontext
CVE-2024-47091 was published on May 13, 2026. Its exploitation probability is currently assessed as medium, given the relatively straightforward exploitation path and the potential for widespread deployment of Checkmk Agent. No public proof-of-concept (POC) code has been released as of the publication date, but the vulnerability's nature suggests that a POC is likely to emerge. It is not currently listed on KEV or EPSS, but this could change as more information becomes available.
Bedrohungsanalyse
Exploit-Status
EPSS
0.01% (3% Perzentil)
CISA SSVC
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
- EPSS aktualisiert
Mitigation und Workarounds
The primary mitigation for CVE-2024-47091 is to upgrade Checkmk Agent to version 2.4.0p29 or later. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing stricter controls on Windows service creation. Restrict the ability to create services with names like 'MySQL' or 'MariaDB' to authorized users only. Additionally, review and harden the permissions associated with the Checkmk agent service itself. While a WAF or proxy cannot directly mitigate this vulnerability, network segmentation can limit the potential blast radius if the agent is compromised. There are no specific Sigma or YARA rules available for this vulnerability at this time.
So behebenwird übersetzt…
Actualice el agente Checkmk a la versión 2.4.0p29 o superior, 2.3.0p47 o superior, o migre desde la versión 2.2.0 (EOL) a una versión soportada. Esto mitiga la vulnerabilidad de escalada de privilegios al corregir la forma en que se manejan los plugins del agente MySQL/MariaDB.
Häufig gestellte Fragen
What is CVE-2024-47091 — Privilege Escalation in Checkmk Agent?
CVE-2024-47091 is a vulnerability in Checkmk Agent allowing a local unprivileged user to escalate privileges to SYSTEM by creating a malicious service. This affects versions 2.4.0–2.4.0p29 and earlier. Upgrade is the recommended solution.
Am I affected by CVE-2024-47091 in Checkmk Agent?
You are affected if you are running Checkmk Agent versions 2.4.0 through 2.4.0p29, or earlier versions 2.3.0 and 2.2.0. Check your agent version to determine your risk level.
How do I fix CVE-2024-47091 in Checkmk Agent?
Upgrade Checkmk Agent to version 2.4.0p29 or later. If immediate upgrade is not possible, restrict service creation permissions and harden the Checkmk agent service.
Is CVE-2024-47091 being actively exploited?
While no public exploits are currently known, the vulnerability's nature suggests exploitation is likely. Monitor your systems closely and apply the fix promptly.
Where can I find the official Checkmk advisory for CVE-2024-47091?
Refer to the official Checkmk security advisory for CVE-2024-47091, which can be found on the Checkmk website under their security announcements section.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Jetzt testen — kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...