CVE-2024-47091: Privilege Escalation in Checkmk Agent
Platform
windows
Component
checkmk
Fixed in
2.4.0p29
CVE-2024-47091 describes a privilege escalation vulnerability affecting Checkmk Agent versions 2.4.0 through 2.4.0p29, and earlier 2.3.x and 2.2.x versions. A local, unprivileged user can exploit this flaw to gain SYSTEM-level privileges. The vulnerability resides within the mk_mysql agent plugin on Windows systems, allowing malicious service creation. Affected users should upgrade to version 2.4.0p29 to resolve the issue.
Impact and Attack Scenarios
The impact of CVE-2024-47091 is severe. Successful exploitation allows an attacker to execute arbitrary code with SYSTEM privileges on the affected Checkmk Agent host. This grants complete control over the system, enabling data theft, malware installation, and lateral movement within the network. An attacker could leverage this to compromise other systems accessible from the Checkmk Agent host, potentially leading to a widespread breach. The ability to create a service with a specific name ('MySQL' or 'MariaDB') significantly lowers the barrier to exploitation, as it requires only local write access to a binary referenced by the service.
Exploitation Context
CVE-2024-47091 is currently not listed on KEV or EPSS, indicating a low to medium probability of exploitation. Public proof-of-concept (POC) code is not yet widely available, but the vulnerability's relatively straightforward nature suggests that it could be exploited in the future. The vulnerability was published on 2026-05-13, and active campaigns are not currently known. Monitor security advisories and threat intelligence feeds for updates.
Threat Intelligence
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2024-47091 is upgrading Checkmk Agent to version 2.4.0p29 or later. If immediate upgrading is not feasible, consider implementing stricter Windows service creation controls to prevent the creation of services with names matching 'MySQL' or 'MariaDB'. Review existing service configurations for any suspicious entries. While a WAF or proxy cannot directly mitigate this vulnerability, network segmentation can limit the potential blast radius if the agent is compromised. Monitor system logs for unusual service creation events. After upgrading, confirm the fix by attempting to create a service with the vulnerable name and verifying that the agent does not execute arbitrary code.
How to fix
Actualice el agente Checkmk a la versión 2.4.0p29 o superior, 2.3.0p47 o superior, o migre desde la versión 2.2.0 (EOL) a una versión soportada. Esto mitiga la vulnerabilidad de escalada de privilegios al corregir la forma en que se manejan los plugins del agente MySQL/MariaDB.
Frequently asked questions
What is CVE-2024-47091 — Privilege Escalation in Checkmk Agent?
CVE-2024-47091 is a vulnerability in Checkmk Agent versions 2.4.0–2.4.0p29 that allows a local, unprivileged user to escalate their privileges to SYSTEM by creating a malicious Windows service. This can lead to complete system compromise.
Am I affected by CVE-2024-47091 in Checkmk Agent?
You are affected if you are running Checkmk Agent versions 2.4.0 through 2.4.0p29, or earlier 2.3.x and 2.2.x versions on Windows systems. Upgrade to 2.4.0p29 or later to mitigate the risk.
How do I fix CVE-2024-47091 in Checkmk Agent?
The recommended fix is to upgrade Checkmk Agent to version 2.4.0p29 or later. If upgrading is not immediately possible, implement stricter Windows service creation controls to prevent malicious service creation.
Is CVE-2024-47091 being actively exploited?
Currently, there are no known active campaigns exploiting CVE-2024-47091. However, the vulnerability's nature suggests it could be exploited in the future, so vigilance is advised.
Where can I find the official Checkmk advisory for CVE-2024-47091?
Refer to the official Checkmk security advisory for CVE-2024-47091 on the Checkmk website: [https://portal.checkmk.com/security/CVE-2024-47091](https://portal.checkmk.com/security/CVE-2024-47091)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...