CVE-2025-32919
📋 TL;DR
This vulnerability allows local privilege escalation on Windows systems running affected Checkmk Windows Agent versions. An attacker with local access can exploit insecure temporary directory handling in the Windows License plugin to execute arbitrary code with SYSTEM privileges. This affects Checkmk installations on Windows with vulnerable agent versions.
💻 Affected Systems
- Checkmk Windows Agent
📦 What is this software?
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM privilege compromise allowing complete control of the Windows host, installation of persistent malware, credential theft, and lateral movement within the network.
Likely Case
Local privilege escalation from a standard user account to SYSTEM privileges, enabling installation of additional tools, disabling security controls, and accessing sensitive data.
If Mitigated
Limited impact if proper endpoint protection, application whitelisting, and least privilege principles are enforced, though privilege escalation path remains available.
🎯 Exploit Status
Exploitation requires local access to the Windows system. Public proof-of-concept code is available in the referenced GitHub advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.0p13, 2.3.0p38, or 2.2.0p46 depending on your version
Vendor Advisory: https://checkmk.com/werk/18207
Restart Required: Yes
Instructions:
1. Identify your Checkmk version. 2. Upgrade to patched version: 2.4.0p13, 2.3.0p38, or 2.2.0p46. 3. Restart the Checkmk agent service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Remove vulnerable plugin
windowsTemporarily disable or remove the vulnerable Windows License plugin
Remove or rename the Windows License plugin file in the Checkmk agent plugins directory
Restrict plugin permissions
windowsSet restrictive permissions on the temporary directory used by the plugin
icacls "C:\ProgramData\checkmk\agent\tmp" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F"
🧯 If You Can't Patch
- Implement strict endpoint protection with behavioral monitoring for privilege escalation attempts
- Enforce least privilege principles and restrict local user access to vulnerable systems
🔍 How to Verify
Check if Vulnerable:
Check Checkmk agent version and compare against affected versions. Also check if Windows License plugin exists in agent plugins directory.Check Version:
check_mk_agent.exe --version or check the agent version in Checkmk web interfaceVerify Fix Applied:
Verify agent version is 2.4.0p13, 2.3.0p38, or 2.2.0p46 or higher. Check that temporary directory permissions are secure.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from Checkmk agent directories
- Privilege escalation attempts involving Checkmk processes
- File creation in insecure temporary directories by SYSTEM account
Network Indicators:
- Unusual outbound connections from Checkmk agent systems following local compromise
SIEM Query:
Process Creation where (Image contains 'checkmk' OR ParentImage contains 'checkmk') AND IntegrityLevel changed to 'System'