CVE-2025-58121
📋 TL;DR
This vulnerability allows low-privileged users in Checkmk to bypass permission checks on REST API endpoints, enabling unauthorized actions or access to sensitive information. It affects Checkmk versions 2.2.0, 2.3.0, and 2.4.0 before 2.4.0p16. Organizations using these versions with multiple user accounts are at risk.
💻 Affected Systems
- Checkmk
📦 What is this software?
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
⚠️ Risk & Real-World Impact
Worst Case
Low-privileged users could escalate privileges, modify monitoring configurations, access sensitive system information, or disrupt monitoring operations.
Likely Case
Unauthorized users accessing data they shouldn't see, potentially exposing monitoring data, system information, or performing limited unauthorized actions.
If Mitigated
With proper network segmentation and minimal user accounts, impact is limited to authorized users exceeding their intended permissions.
🎯 Exploit Status
Requires authenticated low-privilege access. Exploitation involves calling REST API endpoints that should be restricted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.0p16
Vendor Advisory: https://checkmk.com/werk/18983
Restart Required: Yes
Instructions:
1. Backup your Checkmk configuration. 2. Update to Checkmk 2.4.0p16 or later using your package manager. 3. Restart Checkmk services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict REST API Access
linuxLimit network access to Checkmk REST API endpoints using firewall rules.
iptables -A INPUT -p tcp --dport 5000 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 5000 -j DROP
Minimize User Accounts
allReduce the number of low-privilege user accounts and review existing permissions.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Checkmk from untrusted networks
- Audit and reduce low-privilege user accounts, monitor for unusual API activity
🔍 How to Verify
Check if Vulnerable:
Check Checkmk version: omd version. If version is 2.2.0, 2.3.0, or 2.4.0 before p16, you are vulnerable.Check Version:
omd versionVerify Fix Applied:
Verify version is 2.4.0p16 or later: omd version. Test that low-privilege users cannot access restricted API endpoints.📡 Detection & Monitoring
Log Indicators:
- Unusual API calls from low-privilege users
- Access to restricted endpoints in audit logs
- Permission denied errors followed by successful access
Network Indicators:
- Increased REST API traffic from unexpected sources
- Pattern of API calls typical of privilege escalation attempts
SIEM Query:
source="checkmk" AND (event_type="api_call" AND user_role="low_privilege" AND endpoint IN sensitive_endpoints)