CVE-2024-47091: Privilege Escalation in Checkmk Agent
平台
windows
组件
checkmk
修复版本
2.4.0p29
CVE-2024-47091 describes a privilege escalation vulnerability affecting Checkmk Agent versions 2.4.0 through 2.4.0p29, and earlier 2.3.x and 2.2.x versions. A local, unprivileged user can exploit this flaw to gain SYSTEM-level privileges. The vulnerability resides within the mk_mysql agent plugin on Windows systems, allowing malicious service creation. Affected users should upgrade to version 2.4.0p29 to resolve the issue.
影响与攻击场景翻译中…
The impact of CVE-2024-47091 is severe. Successful exploitation allows an attacker to execute arbitrary code with SYSTEM privileges on the affected Checkmk Agent host. This grants complete control over the system, enabling data theft, malware installation, and lateral movement within the network. An attacker could leverage this to compromise other systems accessible from the Checkmk Agent host, potentially leading to a widespread breach. The ability to create a service with a specific name ('MySQL' or 'MariaDB') significantly lowers the barrier to exploitation, as it requires only local write access to a binary referenced by the service.
利用背景翻译中…
CVE-2024-47091 is currently not listed on KEV or EPSS, indicating a low to medium probability of exploitation. Public proof-of-concept (POC) code is not yet widely available, but the vulnerability's relatively straightforward nature suggests that it could be exploited in the future. The vulnerability was published on 2026-05-13, and active campaigns are not currently known. Monitor security advisories and threat intelligence feeds for updates.
威胁情报
漏洞利用状态
EPSS
0.01% (3% 百分位)
CISA SSVC
受影响的软件
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2024-47091 is upgrading Checkmk Agent to version 2.4.0p29 or later. If immediate upgrading is not feasible, consider implementing stricter Windows service creation controls to prevent the creation of services with names matching 'MySQL' or 'MariaDB'. Review existing service configurations for any suspicious entries. While a WAF or proxy cannot directly mitigate this vulnerability, network segmentation can limit the potential blast radius if the agent is compromised. Monitor system logs for unusual service creation events. After upgrading, confirm the fix by attempting to create a service with the vulnerable name and verifying that the agent does not execute arbitrary code.
修复方法翻译中…
Actualice el agente Checkmk a la versión 2.4.0p29 o superior, 2.3.0p47 o superior, o migre desde la versión 2.2.0 (EOL) a una versión soportada. Esto mitiga la vulnerabilidad de escalada de privilegios al corregir la forma en que se manejan los plugins del agente MySQL/MariaDB.
常见问题翻译中…
What is CVE-2024-47091 — Privilege Escalation in Checkmk Agent?
CVE-2024-47091 is a vulnerability in Checkmk Agent versions 2.4.0–2.4.0p29 that allows a local, unprivileged user to escalate their privileges to SYSTEM by creating a malicious Windows service. This can lead to complete system compromise.
Am I affected by CVE-2024-47091 in Checkmk Agent?
You are affected if you are running Checkmk Agent versions 2.4.0 through 2.4.0p29, or earlier 2.3.x and 2.2.x versions on Windows systems. Upgrade to 2.4.0p29 or later to mitigate the risk.
How do I fix CVE-2024-47091 in Checkmk Agent?
The recommended fix is to upgrade Checkmk Agent to version 2.4.0p29 or later. If upgrading is not immediately possible, implement stricter Windows service creation controls to prevent malicious service creation.
Is CVE-2024-47091 being actively exploited?
Currently, there are no known active campaigns exploiting CVE-2024-47091. However, the vulnerability's nature suggests it could be exploited in the future, so vigilance is advised.
Where can I find the official Checkmk advisory for CVE-2024-47091?
Refer to the official Checkmk security advisory for CVE-2024-47091 on the Checkmk website: [https://portal.checkmk.com/security/CVE-2024-47091](https://portal.checkmk.com/security/CVE-2024-47091)
立即试用 — 无需账户
上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。
拖放您的依赖文件
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...