Executive Summary

CVE-2025-39666 is a critical local privilege escalation vulnerability in Checkmk's omd command-line tool used for site management.

The flaw allows a site user—who already has access to modify the site context—to escalate their privileges to root by placing a malicious payload that is executed when omd commands run as root.

This vulnerability arises because the omd tool uses the version specified in the site directory, which can be manipulated by the site user to execute arbitrary code with root privileges when omd commands are run as root.

Running omd commands inside the site context as the site user is safe and does not allow privilege escalation, but running omd commands as root is unsafe unless the system is fully patched and vulnerable packages are removed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a site user with limited privileges to escalate their access to root, which is the highest level of privilege on the system.

Impact scenarios include:

• On shared hosts, compromised site users can escalate to root, breaking isolation and compromising all sites on the host.
• On restricted hosts, site administrators without root access can bypass restrictions and gain root privileges.
• On dedicated hosts, the severity is lower but still represents a local privilege escalation risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by verifying the presence of a security flag file named "security-werk-18891.flag" in the installed Checkmk version directories.

Additionally, scripts are provided to check if the system-wide or site-specific omd executables are patched or vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include stopping the Checkmk site using the command `sudo omd stop`.

Then update the site with `sudo omd update <site name>` to apply patches.

Uninstall old vulnerable Checkmk packages to ensure the patched omd executable is used.

Avoid running unsafe omd commands as root until the system is fully patched and old versions are removed.

• Safe omd commands to run as root after patching include: `omd su`, `omd stop`, `omd start`, `omd update`, `omd rm`, `omd cleanup`, `omd version`, and `omd setversion`.
• Unsafe omd commands as root until patching include: `omd mv`, `omd cp`, `omd disable`, `omd enable`, `omd update-apache-config`, `omd restore`, `omd backup`, `omd init`, and `omd create`.

For commands like `omd restore` and `omd backup`, a workaround is to run them as the site user rather than root.

Useful 0 Not Useful 0

Compliance Impact

This local privilege escalation vulnerability in Checkmk allows a site user to escalate privileges to root, potentially compromising the entire system and breaking isolation between sites.

Such a compromise could lead to unauthorized access to sensitive data or system controls, which may violate requirements in common standards and regulations like GDPR and HIPAA that mandate strict access controls and protection of sensitive information.

Therefore, if exploited, this vulnerability could negatively impact compliance by enabling unauthorized privilege escalation and potential data breaches.

Useful 0 Not Useful 0