CVE-2024-13723
📋 TL;DR
CVE-2024-13723 is a remote code execution vulnerability in the NagVis component of Checkmk. Authenticated attackers with administrative privileges can upload malicious PHP files and modify settings to execute arbitrary code. This affects Checkmk installations using NagVis for visualization.
💻 Affected Systems
- Checkmk with NagVis component
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attacker to execute arbitrary commands, steal data, deploy ransomware, or pivot to other systems.
Likely Case
Privilege escalation leading to data exfiltration, installation of backdoors, or disruption of monitoring services.
If Mitigated
Limited impact if proper access controls and file upload restrictions are in place, though administrative compromise remains possible.
🎯 Exploit Status
Exploitation requires administrative credentials but is straightforward once access is obtained. Public proof-of-concept exists in advisory references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Checkmk 2.3.0p10, NagVis 1.9.42
Vendor Advisory: https://checkmk.com/werks?version=2.3.0p10
Restart Required: Yes
Instructions:
1. Update Checkmk to version 2.3.0p10 or later. 2. Update NagVis component to version 1.9.42 or later. 3. Restart Checkmk services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict administrative access
allLimit administrative access to Checkmk interface to trusted IP addresses only.
# Configure firewall rules to restrict access to Checkmk admin interface
# Example: iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
Disable NagVis if not needed
allTemporarily disable NagVis component until patching can be completed.
# In Checkmk: Disable NagVis module or remove from active configuration
🧯 If You Can't Patch
- Implement strict access controls and multi-factor authentication for administrative accounts.
- Monitor file upload activities and PHP file execution in NagVis directories.
🔍 How to Verify
Check if Vulnerable:
Check Checkmk version with 'omd version' and verify NagVis version in component settings. If Checkmk < 2.3.0p10 or NagVis < 1.9.42, system is vulnerable.Check Version:
omd versionVerify Fix Applied:
Confirm Checkmk version is 2.3.0p10 or later and NagVis is 1.9.42 or later. Test administrative file upload functionality is properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to NagVis directories
- PHP file execution from NagVis upload locations
- Administrative login from unexpected sources
Network Indicators:
- HTTP POST requests to NagVis file upload endpoints from unauthorized sources
SIEM Query:
source="checkmk.log" AND ("upload" OR "php" OR "nagvis") AND status="200"🔗 References
- https://checkmk.com/werks?version=2.3.0p10
- https://korelogic.com/Resources/Advisories/KL-001-2025-002.txt
- https://www.nagvis.org/downloads/changelog/1.9.42
- http://seclists.org/fulldisclosure/2025/Feb/4
- http://www.openwall.com/lists/oss-security/2025/02/04/4
- https://lists.debian.org/debian-lts-announce/2025/05/msg00000.html
- https://korelogic.com/Resources/Advisories/KL-001-2025-002.txt
